#Exploit Name: Wordpress Levo-Slideshow 2.3 Shell Upload by Unprivileged user #Exploit Date: 5/6/2016 #Author: Aaditya Purani #Author Blog: https://aadityapurani.com #Vendor: https://wordpress.org/plugins/wp-levoslideshow #Version: 2.3 #Tested on: Wordpress 4.5.2 Hi This is Aaditya Purani, Let's have look at 0-day Exploit Plugin Description: WP- Levoslideshow is a wordpress Plugin is a plugin where users can display slideshow multiple instance in their post which different categories & Images. PoC ( Proof Of Concept ): 1) Login as an unprivileged user, who was no privilege of even uploading a plugin 2) Go to http://site.com/wp-admin/admin.php?page=levoslideshow_manage 3) If any Gallery exists than don't create and go to "Category Management", Click on "Add New", Upload any .png / ,jpg image from your PC and intercept the request 4) After Intercepting the request while upload, Send request to Repeater . And change filename = image.png.php and in $POST image data add your PHP Backdoor between image chunk . It should look like this http://postimg.org/image/ih4lwyad7/ 5) Forward the request and go to site.com/wp-content/uploads/levoslideshow/[ALBUM_NUMBER]_uploadfolder/big/[YourShell] to access your shell. That's it. Follow: https://twitter.com/aaditya_purani Website: https://aaditya.com # Iranian Exploit DataBase = http://IeDb.Ir [2016-06-20]