CVE-2018-15877
published 2018-08-26CVE-2018-15877: The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a…
PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
76.99%
99.5th percentile
The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| plainview_activity_monitor_project | plainview_activity_monitor | < 20180826 | 20180826 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to the vulnerable endpoint with pipe/shell metacharacters in the 'ip' POST parameter, indicating OS command injection attempts. ↗
- →Monitor POST requests where the 'ip' parameter contains pipe characters (|) followed by OS commands such as whoami, id, pwd — a hallmark of this exploit's injection pattern. ↗
- →Alert on HTTP responses containing the string 'Output from dig:' in conjunction with unexpected command output, which is how the exploit parses and exfiltrates command results. ↗
- →Look for authenticated WordPress sessions (wordpress_* cookies) making POST requests to admin.php with page=plainview_activity_monitor&tab=activity_tools and a 'lookup' field, as this is the exact exploit request structure. ↗
- →Flag installations running Plainview Activity Monitor plugin version 20161228 or earlier as vulnerable; version 20180826 is the patched release. ↗
- ·Exploitation requires valid WordPress credentials (authenticated attack); unauthenticated exploitation is not possible. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)
exploitdb·2021-07-07·CVSS 8.8
CVE-2018-15877 [HIGH] WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)
WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)
---
# Exploit Title: WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)
# Date: 07.07.2021
# Exploit Author: Beren Kuday GORUN
# Vendor Homepage: https://wordpress.org/plugins/plainview-activity-monitor/
# Software Link: https://www.exploit-db.com/apps/2e1f384e5e49ab1d5fbf9eedf64c9a15-plainview-activity-monitor.20161228.zip
# Version: 20161228 and possibly prior
# Fixed version: 20180826
# CVE : CVE-2018-15877
"""
Usage:
┌──(root@kali)-[~/tools]
└─# python3 WordPress-Activity-Monitor-RCE.py
What's your target IP?
192.168.101.28
What's your username?
mark
What's your password?
password123
[*] Please wait...
[*] Perfect!
[email protected]
Exploit-DB
WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection
exploitdb·2018-08-27·CVSS 8.8
CVE-2018-15877 [HIGH] WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection
WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection
---
history.pushState('', '', '/')
Metasploit
Wordpress Plainview Activity Monitor RCE
metasploit
Wordpress Plainview Activity Monitor RCE
Wordpress Plainview Activity Monitor RCE
Plainview Activity Monitor Wordpress plugin is vulnerable to OS command injection which allows an attacker to remotely execute commands on underlying system. Application passes unsafe user supplied data to ip parameter into activities_overview.php. Privileges are required in order to exploit this vulnerability. Vulnerable plugin version: 20161228 and possibly prior Fixed plugin version: 20180826
No writeups or analysis indexed.
http://packetstormsecurity.com/files/155502/WordPress-Plainview-Activity-Monitor-20161228-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/163425/WordPress-Plainview-Activity-Monitor-20161228-Remote-Code-Execution.htmlhttps://github.com/aas-n/CVE/tree/master/CVE-2018-15877https://www.exploit-db.com/exploits/45274/http://packetstormsecurity.com/files/155502/WordPress-Plainview-Activity-Monitor-20161228-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/163425/WordPress-Plainview-Activity-Monitor-20161228-Remote-Code-Execution.htmlhttps://github.com/aas-n/CVE/tree/master/CVE-2018-15877https://www.exploit-db.com/exploits/45274/
2018-08-26
Published