funixone/EXPLOIT-CVE-2026-8832-

GitHub: funixone/EXPLOIT-CVE-2026-8832-

Stars: 0 | Forks: 0

# EXPLOIT-CVE-2026-8832 ![Banner](https://img.shields.io/badge/Vulnerability-Critical-red) ![CVE](https://img.shields.io/badge/CVE-CPT_Capability_Bypass-orange) An exploitation tool to test for **Remote Code Execution (RCE)** vulnerabilities in the WordPress plugin **WPCode Lite (Insert Headers and Footers) v2.3.5**. This vulnerability stems from registering the Custom Post Type (CPT) `wpcode` without defining a custom `capability_type`. This oversight allows any user with the **Author** role (or higher) to execute arbitrary PHP code on the server via XML-RPC. ## ⚠️ Disclaimer **FOR AUTHORIZED SECURITY TESTING ONLY.** Unauthorized usage of this tool against systems you do not own is **ILLEGAL**. Use this strictly on systems where you have explicit, written permission to conduct penetration testing. The author assumes no liability and is not responsible for any misuse or damage caused by this program. ## 🚀 Features - **Automated Exploitation**: Executes the full exploit chain from fingerprinting to code execution in 6 automated steps. - **XML-RPC Bypass**: Leverages the `wp.newPost` endpoint via XML-RPC to bypass plugin UI administrative protections. - **Pure PHP Payloads**: All built-in payloads are designed using pure PHP native functions. This is specifically crafted to **bypass `disable_functions`** restrictions commonly found in shared hosting environments (like CloudLinux) which block functions like `shell_exec` and `system`. - **Web-Based Interactive Shell**: Includes a web-GUI payload option to easily navigate and execute PHP commands from a browser. - **Auto-Cleanup**: Safely cleans up the database by removing test snippets and trigger posts after execution. ## 📦 Requirements - Python 3.6+ - `requests` library pip install requests ## 🛠️ Usage Run the script from your terminal/command prompt: python wpcode_rce_tester.py The tool will prompt you interactively for the following: 1. **WordPress URL**: The target URL (e.g., `http://localhost`). 2. **Username**: A user account username with at least **Author** privileges. 3. **Password**: The password for the account. 4. **Payload**: The payload choice you wish to execute (select 1-8). ## 🛡️ Remediation To secure your WordPress site: 1. Immediately update the **WPCode Lite** plugin to the latest version. 2. If updating is not possible, disable XML-RPC completely if it is not in use by adding the following to a plugin or *mu-plugins*: add_filter('xmlrpc_enabled', '__return_false');