WordPress Theme “dance-studio” Susceptible to Arbitrary Shell Add

A vulnerability within the WordPress theme “dance-studio” has been found permitting attackers to add malicious information like a shell, onto the focused web site. The exploit was posted to the exploit database, “0.day.right now?” and has been authored by a safety analyst going by the alias of xBADGIRL21. The exploit when used uploads a shell file onto the web site by way of the “/wp-content/uploads/” listing path.

Screenshot of full exploit uploaded onto 0day.right now? exploit database by xBADGIRL21

xBADGIRL21 additionally uploaded a YouTube video displaying proof as to how the exploit can be utilized to breach WordPress web sites who’ve the theme put in. The exploit runs a html script that grants permission to the hacker to add any file they need.

Video proof of idea (PoC) of the exploitation of the vulnerability uploaded to YouTube by writer xBADGIRL21:

Code used to add the shell onto the dance-studio themed WordPress web site:

Screenshot of html code of the exploit
Screenshot of html code of the exploit

WordPress itself has nothing to do with the bugs discovered. It’s solely a problem with the code the programmers of the theme have applied. The theme creators and coders aren’t but conscious of the exploit as of but since no patch has been made or deployed. The creators of the dance-studio theme haven’t addressed the vital vulnerability as of but both.

See also  WordPress REST API 0day Exploit is Out: Patch your CMS Now!