Vulnerability & Exploit Database

Back to search

WordPress Plugin Advanced Custom Fields Remote File Inclusion

This module exploits a remote file inclusion flaw in the WordPress blogging software plugin known as Advanced Custom Fields. The vulnerability allows for remote file inclusion and remote code execution via the export.php script. The Advanced Custom Fields plug-in versions 3.5.1 and below are vulnerable. This exploit only works when the php option allow_url_include is set to On (Default Off).

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/unix/webapp/wp_advanced_custom_fields_exec

Authors

  • Charlie Eriksen <charlie [at] ceriksen.com>

References

Targets

  • Automatic

Platforms

  • php

Architectures

  • php

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/unix/webapp/wp_advanced_custom_fields_exec msf exploit(wp_advanced_custom_fields_exec) > show targets ...targets... msf exploit(wp_advanced_custom_fields_exec) > set TARGET <target-id> msf exploit(wp_advanced_custom_fields_exec) > show options ...show and set options... msf exploit(wp_advanced_custom_fields_exec) > exploit