Description: A significant security vulnerability has been identified in WordPress Core versions up to 6.5.1, tracked as CVE-2024-4439. This vulnerability is a stored Cross-Site Scripting (XSS) flaw, allowing attackers to inject harmful web scripts through the Avatar block. The flaw arises due to insufficient output escaping of user display names, enabling both authenticated and unauthenticated attackers to execute arbitrary PHP commands.
🛠️ Exploit Code: The provided exploit code demonstrates the exploitation of CVE-2024-4439. By injecting a crafted payload into the Avatar block, the attacker can execute arbitrary PHP commands on the target server. This particular exploit showcases the injection of a reverse shell payload, facilitating unauthorized access to the server.
What do you think?
It is nice to know your opinion. Leave a comment.