File Upload to RCE (file-upload-rce)

πŸ”Ή 1. Uploading & Activating a Malicious Plugin

  • Direct path: attacker uploads a .zip plugin, activates it, gains code execution.

  • Plugins run with PHP execution, so even one small malicious hook = RCE.

  • Editing Existing Theme/Plugin Files via Dashboard

πŸ”Ή 2. Uploading a Malicious Theme

  • Same as plugin, but uploaded via Appearance β†’ Themes β†’ Add New.

  • Theme PHP files (e.g., functions.php, header.php, footer.php) are executed.

  • Malicious code is executed as soon as theme is activated.

πŸ”Ή 3. Media Library Upload Abuse

  • Normally WordPress restricts uploads to safe file types (.jpg, .png, .pdf, etc.).

  • If a misconfigured server or plugin allows .php upload, an attacker can drop webshells into /wp-content/uploads/.

  • Even if PHP files are renamed (e.g., shell.php.jpg), some vulnerable configs parse them as PHP.

πŸ”Ή 4. Exploiting Vulnerable File Upload Plugins

  • Many plugins offer custom file uploads (contact forms, galleries, shop product imports, membership forms, etc.).

  • Examples: vulnerable versions of RevSlider, wfu_file_downloader.php.

πŸ”Ή 5. Import / Export Functionality Exploits

  • WordPress allows import/export of XML or JSON content.

  • Vulnerable importers (e.g., old WP All Import) sometimes allow PHP code injection inside templates or imports.

  • Example: uploading a malicious XML with embedded PHP payload β†’ execution.

PreviousFind The Right ExploitNextMalicious plugin

Last updated