CVE-2018-15877

HIGH LAB

Plainview Activity Monitor < 20180826 - OS Command Injection via IP Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2018-15877. PoCs published by Lydéric Lefebvre, Beren Kuday GÖRÜN, Cinnamon1212, including Metasploit module exploits/unix/webapp/wp_plainview_activity_monitor_rce.

AI-analyzed exploit summary This PoC exploits an OS command injection vulnerability in the Plainview Activity Monitor WordPress plugin (CVE-2018-15877) by injecting a malicious payload into the 'ip' parameter. The exploit combines CSRF to trick an admin into executing the payload, leading to a reverse shell.

Description

The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Lydéric Lefebvre · htmlwebappsphp
https://www.exploit-db.com/exploits/45274

This PoC exploits an OS command injection vulnerability in the Plainview Activity Monitor WordPress plugin (CVE-2018-15877) by injecting a malicious payload into the 'ip' parameter. The exploit combines CSRF to trick an admin into executing the payload, leading to a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Plainview Activity Monitor WordPress plugin (version 20161228 and prior)
Auth required
Prerequisites: Admin privileges or ability to trick an admin into clicking a malicious link · Network connectivity to the target WordPress site
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Beren Kuday GÖRÜN · pythonwebappsphp
https://www.exploit-db.com/exploits/50110

This exploit leverages a command injection vulnerability in the WordPress Plugin Plainview Activity Monitor (version 20161228 and prior) by injecting commands via the 'ip' parameter in the 'activity_tools' tab. It authenticates as a WordPress user and executes arbitrary commands, returning the output to the attacker.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin Plainview Activity Monitor 20161228 and prior
Auth required
Prerequisites: Valid WordPress credentials · Target running vulnerable version of Plainview Activity Monitor
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Cinnamon1212 · poc
https://github.com/Cinnamon1212/CVE-2018-15877-RCE

This exploit leverages a command injection vulnerability in the Planview Activity Monitor WordPress plugin (CVE-2018-15877) to achieve remote code execution. It uses Selenium to automate login and inject a reverse shell payload via a manipulated input field.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Planview Activity Monitor WordPress plugin
Auth required
Prerequisites: Valid WordPress credentials · Selenium with Firefox WebDriver · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by cved-sources · poc
https://github.com/cved-sources/cve-2018-15877

This repository contains a Docker setup for CVE-2018-15877, a vulnerability in the Plainview Activity Monitor WordPress plugin. The script initializes a vulnerable WordPress environment with MySQL and Apache, activating the vulnerable plugin to demonstrate the exploit.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Plainview Activity Monitor plugin (version 20161228)
Auth required
Prerequisites: Docker environment · WordPress installation · MySQL and Apache services
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by qq431169079 · htmlpoc
https://github.com/qq431169079/CVE/tree/master/CVE-2018-15877

This repository contains a functional proof-of-concept for CVE-2018-15877, demonstrating an OS command injection vulnerability in the Plainview Activity Monitor WordPress plugin. The exploit leverages the 'ip' parameter in a POST request to execute arbitrary commands on the underlying system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Plainview Activity Monitor WordPress plugin (version 20161228 and prior)
Auth required
Prerequisites: WordPress admin access · Plainview Activity Monitor plugin installed and activated
devstral-2 · analyzed Feb 27, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by LydA(c)ric LEFEBVRE, Leo LE BOUTER · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_plainview_activity_monitor_rce.rb

This Metasploit module exploits a command injection vulnerability in the WordPress Plainview Activity Monitor plugin by injecting a PHP payload into the 'ip' parameter. It requires authentication and targets versions prior to 20180826.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plainview Activity Monitor plugin (versions 20161228 and prior)
Auth required
Prerequisites: Valid WordPress credentials · Vulnerable plugin version installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/aas-n/CVE/tree/master/CVE-2018-15877
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45274/

Scores

CVSS v3 8.8
EPSS 0.8032
EPSS Percentile 99.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull cved/base-wordpress
+1 more repos

Details

CWE
CWE-78
Status published
Products (1)
plainview_activity_monitor_project/plainview_activity_monitor < 20180826
Published Aug 26, 2018
Tracked Since Feb 18, 2026