cbcvebase.
CVE-2018-15877
published 2018-08-26

CVE-2018-15877: The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a…

PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
76.99%
99.5th percentile
The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request.

Affected

1 ranges
VendorProductVersion rangeFixed in
plainview_activity_monitor_projectplainview_activity_monitor< 2018082620180826

Detection & IOCsextracted from sources · hover to see the quote

urlwp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools
commandgoogle.com.tr | <cmd>
commandgoogle.fr | whoami
path/wp-admin/admin.php
pathactivities_overview.php
version20161228
  • Detect POST requests to the vulnerable endpoint with pipe/shell metacharacters in the 'ip' POST parameter, indicating OS command injection attempts.
  • Monitor POST requests where the 'ip' parameter contains pipe characters (|) followed by OS commands such as whoami, id, pwd — a hallmark of this exploit's injection pattern.
  • Alert on HTTP responses containing the string 'Output from dig:' in conjunction with unexpected command output, which is how the exploit parses and exfiltrates command results.
  • Look for authenticated WordPress sessions (wordpress_* cookies) making POST requests to admin.php with page=plainview_activity_monitor&tab=activity_tools and a 'lookup' field, as this is the exact exploit request structure.
  • Flag installations running Plainview Activity Monitor plugin version 20161228 or earlier as vulnerable; version 20180826 is the patched release.
  • ·Exploitation requires valid WordPress credentials (authenticated attack); unauthenticated exploitation is not possible.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.