v2.0.1

Changes

• Add bypass for admin shell uploads when write permissions are not present on the plugins directory
• Update dependencies

v2.0

WordPress Exploit Framework 2.0 is here! 🎉

This version is NOT compatible with 1.x. To upgrade to 2.0, remove your previous installation and install the gem by running gem install wpxf.

New Features

• Loot is now stored into a .wpxf directory inside your home directory
• A data store (by default sqlite3) is now used to store information gathered by modules
• Harvested credentials can be viewed using the creds command
• Gathered loot can be viewed using the loot command
• Support for workspaces is now available and can be utilised using the workspace command
• Numerous improvements to the API have been introduced
• Custom modules can now be added to the .wpxf directory

Using Custom Modules

If you have a custom module you wish to use, you can now place it within the ~/.wpxf/modules/ directory and then load it in the CLI using the normal use {exploit_path} syntax.

v1.9.2

Bug Fixes

• Fix HTTP server not shutting down properly after unexpected errors
• Fix indentation issue when an error is thrown whilst yielding in an indent block
• Increase password complexity used by XSS stager to prevent failures in non-default setups

Dependencies

• Upgrade Ruby to 2.5.1

General Changes

• Add setg and unsetg commands to the CLI
• Improve test coverage
• Add some missing documentation

New Modules

• Add AccessPress Anonymous Post Pro < 3.2.0 shell upload
• Add Affiliate Ads for Clickbank Products <= 1.5 reflected XSS shell upload
• Add Caldera Forms <= 1.5.4 reflected XSS shell upload
• Add CSV Import-Export <= 1.1 reflected XSS shell upload
• Add Custom Map <= 1.1 reflected XSS shell upload
• Add Custom Permalinks <= 1.1 reflected XSS shell upload
• Add Duplicator <= 1.2.32 reflected XSS shell upload
• Add Emag Marketplace Connector 1.0 reflected XSS shell upload
• Add Email Subscribers & Newsletters <= 3.4.7 user list disclosure
• Add File Manager <= 5.0.0 database credentials disclosure
• Add flickrRSS <= 5.3.1 reflected XSS shell upload
• Add GD Rating System <= 2.3 reflected XSS shell upload
• Add ImageInject <= 1.15 CSRF stored XSS shell upload
• Add Instagram Feed <= 1.5.1 reflected XSS shell upload
• Add iThemes Security <= 6.9.0 stored XSS shell upload
• Add Photo Gallery by WD <= 1.3.66 reflected XSS shell upload
• Add Pinterest Feed <= 1.1.1 reflected XSS shell upload
• Add PopCash.Net Code Integration Tool <= 1.0 reflected XSS shell upload
• Add PropertyHive <= 1.4.14 reflected XSS shell upload
• Add Site Editor <= 1.1.1 file download
• Add Smart Google Code Inserter <= 3.4 stored XSS shell upload
• Add Smart Marketing SMS and Newsletters Forms <= 1.1.1 reflected XSS shell upload
• Add Social Media Widget <= 3.2.5 CSRF stored XSS shell upload
• Add srbtranslatin 1.46 CSRF stored XSS shell upload
• Add Super Socializer <= 7.10.6 authentication bypass
• Add Super Socializer <= 7.10.6 unauthenticated shell upload
• Add User Login History <= 1.5 reflected XSS shell upload
• Add WordPress <= 4.9.2 - Application Denial of Service auxiliary module
• Add WordPress Concours <= 1.1 reflected XSS shell upload
• Add WP Background Takeover <= 4.1.4 file download
• Add WP Retina 2x <= 5.2.0 reflected XSS shell upload
• Add Yoast SEO < 5.8.0 reflected XSS shell upload
• Add Z-URL Preview <= 1.6.2 reflected XSS shell upload

v1.9.1

Bug Fixes

• Using the custom payload now verifies the file exists before executing

Dependencies

• Upgrade nokogiri to 1.8.2
• Upgrade require_all to 2.0
• Upgrade Ruby to 2.4.3
• Upgrade slop to 4.6.2

API Changes

• Add new method to the text utility mixin to hexify strings

General Changes

• msfvenom is no longer required to use the Meterpreter payloads
• Modules are now placed in categorised folders for better organisation

New Modules

• Add Participants Database <= 1.5.4.8 shell upload
• Add Participants Database <= 1.7.5.9 stored XSS shell upload
• Add Splashing Images <= 2.1 reflected XSS shell upload

v1.9

Bug Fixes

• Using the custom payload now verifies the file exists before executing

Dependencies

• Upgrade require_all to 2.0
• Upgrade Ruby to 2.4.3

API Changes

• Add new method to the text utility mixin to hexify strings

General Changes

• msfvenom is no longer required to use the Meterpreter payloads
• Modules are now placed in categorised folders for better organisation

New Modules

• Add Participants Database <= 1.5.4.8 shell upload
• Add Participants Database <= 1.7.5.9 stored XSS shell upload
• Add Splashing Images <= 2.1 reflected XSS shell upload

v1.8.1

API Changes

• Add ability to specify default field values in hash dump union statement

New Modules

• Add 2kb Amazon Affiliates Store <= 2.1.0 reflected XSS shell upload
• Add BackupGuard <= 1.1.46 reflected XSS shell upload
• Add Content Audit <= 1.9.1 CSRF stored XSS shell upload
• Add RegistrationMagic - Custom Registration Forms <= 3.7.9.2 hash dump
• Add RegistrationMagic - Custom Registration Forms <= 3.7.9.2 reflected XSS shell upload
• Add UserPro <= 4.9.17 shell upload
• Add WP Mailster <= 1.5.4 reflected XSS shell upload

v1.8

Bug Fixes

• Fix API compatibility in Estatik 2.2.5 shell upload

Dependencies

• Upgrade required Ruby version to 2.4.2
• Upgrade Nokogiri to 1.8.1
• Upgrade rubyzip to 1.2.1
• Upgrade Slop to 4.5.0
• Upgrade Typhoeus to 1.3.0
• Upgrade RSpec to 3.7

API Changes

• Add new mixin to provide comment posting functionality
• Add new mixin for creating hash dump auxiliary modules
• Add support for multiple potential upload locations in the ShellUpload mixin

New Modules

• Add Responsive Image Gallery <= 1.2.0 hash dump
• Add SQL Shortcode <= 1.1 hash dump
• Add JTRT Responsive Tables <= 4.1 hash dump
• Add Simple Events Calendar <= 1.3.5 hash dump
• Add Pootle Button < 1.2 reflected XSS shell upload
• Add Embed Images in Comments <= 0.5 stored XSS shell upload
• Add Qards local port scan
• Add WP Support Plus Responsive Ticket System < 8.0.8 shell upload
• Add Events <= 2.3.4 hash dump

v1.7

Bug Fixes

• Fix cookie parsing error when parsing authentication responses

API Changes

• Add new method for executing tasks before storing a script using the StoredXss mixin

New Modules

• Add All-in-One WP Migration <= 6.45 reflected XSS shell upload
• Add Arabic Font CSRF XSS shell upload
• Add Popup Maker <= 1.6.4 reflected XSS shell upload
• Add Responsive Lightbox <= 1.7.1 reflected XSS shell upload
• Add Ultimate Product Catalogue <= 4.2.2 hash dump
• Add WP Hide & Security Enhancer <= 1.3.9.2 file download
• Add WP Live Chat Support <= 7.1.04 stored XSS shell upload
• Add WP Statistics <= 12.0.8.1 reflected XSS shell upload
• Add WP Statistics <= 12.0.9 reflected XSS shell upload
• Add WP-Members <= 3.1.7 reflected XSS shell upload
• Add WordPress Download Manager <= 2.9.51 reflected XSS shell upload

v1.6.1

Bug Fixes

• Add better handling when trying to bind to an occupied port when using the reverse_tcp payload
• Fix major bug preventing the --update switch updating hidden files

Dependencies

• Upgrade Nokogiri to ~>1.8
• Upgrade supported Ruby version to >= 2.4.1

API Changes

• Add new method for generating random month names in Utility::Text
• Add method in HttpClient for normalising relative paths to absolute URLs

New Payloads

• Add meterpreter_bind_tcp payload (requires msfvenom)
• Add meterpreter_reverse_tcp payload (requires msfvenom)

New Modules

• Add AffiliateWP <= 2.0.9 reflected XSS shell upload
• Add All In One Schema.org Rich Snippets <= 1.4.4 reflected XSS shell upload
• Add Max Buttons <= 6.18 reflected XSS shell upload
• Add Newsletter by Supsystic CSRF stored XSS shell upload
• Add Simple Slideshow Manager <= 2.3 reflected XSS shell upload
• Add Spiffy Calendar <= 3.2.0 reflected XSS shell upload
• Add Tribulant Newsletters <= 4.6.4.2 reflected XSS shell upload
• Add WP Live Chat Support <= 7.0.06 reflected XSS shell upload
• Add WP No External Links <= 3.5.18 reflected XSS shell upload

v1.6

Bug Fixes

• Add better handling when trying to bind to an occupied port when using the reverse_tcp payload

Dependencies

• Upgrade Nokogiri to ~>1.8
• Upgrade supported Ruby version to >= 2.4.1

API Changes

• Add new method for generating random month names in Utility::Text
• Add method in HttpClient for normalising relative paths to absolute URLs

New Payloads

• Add meterpreter_bind_tcp payload (requires msfvenom)
• Add meterpreter_reverse_tcp payload (requires msfvenom)

New Modules

• Add AffiliateWP <= 2.0.9 reflected XSS shell upload
• Add All In One Schema.org Rich Snippets <= 1.4.4 reflected XSS shell upload
• Add Max Buttons <= 6.18 reflected XSS shell upload
• Add Newsletter by Supsystic CSRF stored XSS shell upload
• Add Simple Slideshow Manager <= 2.3 reflected XSS shell upload
• Add Spiffy Calendar <= 3.2.0 reflected XSS shell upload
• Add Tribulant Newsletters <= 4.6.4.2 reflected XSS shell upload
• Add WP Live Chat Support <= 7.0.06 reflected XSS shell upload
• Add WP No External Links <= 3.5.18 reflected XSS shell upload