Wordpress Remote code Execution [RCE] vulnerability || File upload webshell POC

// Description //
The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

// Patch //
All versions up to and including 1.1.0 of the Hash Form – Drag & Drop Form Builder plugin for WordPress are affected. Update to the latest patched version when available.

// Mitigation //
As a mitigation, disable the Hash Form plugin until a patched version is available. Implement additional access controls and input validation to prevent arbitrary file uploads.

// Disclaimer //
This script is intended for educational purposes only. Unauthorized use of this script on systems you do not own or do not have explicit permission to test is illegal and unethical. The author is not responsible for any misuse of this script.

#proofofconcept #coding #learninghacks #preventhacking #bughunter #ethicalhackingtraining #bugbountytips #programming #preventhacking #hackerprotection #hackerone #hackers