File Upload to RCE (file-upload-rce)

🔹 1. Uploading & Activating a Malicious Plugin

• Direct path: attacker uploads a .zip plugin, activates it, gains code execution.

• Plugins run with PHP execution, so even one small malicious hook = RCE.

• Editing Existing Theme/Plugin Files via Dashboard

🔹 2. Uploading a Malicious Theme

• Same as plugin, but uploaded via Appearance → Themes → Add New.

• Theme PHP files (e.g., functions.php, header.php, footer.php) are executed.

• Malicious code is executed as soon as theme is activated.

🔹 3. Media Library Upload Abuse

• Normally WordPress restricts uploads to safe file types (.jpg, .png, .pdf, etc.).

• If a misconfigured server or plugin allows .php upload, an attacker can drop webshells into /wp-content/uploads/.

• Even if PHP files are renamed (e.g., shell.php.jpg), some vulnerable configs parse them as PHP.

🔹 4. Exploiting Vulnerable File Upload Plugins

• Many plugins offer custom file uploads (contact forms, galleries, shop product imports, membership forms, etc.).

• Examples: vulnerable versions of RevSlider, wfu_file_downloader.php.

🔹 5. Import / Export Functionality Exploits

• WordPress allows import/export of XML or JSON content.

• Vulnerable importers (e.g., old WP All Import) sometimes allow PHP code injection inside templates or imports.

• Example: uploading a malicious XML with embedded PHP payload → execution.