CVE-2019-15858

HIGH NUCLEI

Woody ad snippets < 2.2.5 - Unauthenticated Options Import

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 8 public exploits for CVE-2019-15858. PoCs published by GeneralEG, orangmuda. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2019-15858, targeting an unauthenticated remote code execution vulnerability in the WordPress Woody Ad Snippets plugin (versions 2.2.4 and below). The exploit leverages an options import vulnerability combined with stored XSS to achieve RCE.

Description

admin/includes/class.import.snippet.php in the "Woody ad snippets" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution.

Exploits (8)

nomisec WORKING POC 32 stars
by GeneralEG · poc
https://github.com/GeneralEG/CVE-2019-15858

This repository contains a functional exploit for CVE-2019-15858, targeting an unauthenticated remote code execution vulnerability in the WordPress Woody Ad Snippets plugin (versions 2.2.4 and below). The exploit leverages an options import vulnerability combined with stored XSS to achieve RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Woody Ad Snippets plugin <= 2.2.4
No auth needed
Prerequisites: Target must be running vulnerable version of Woody Ad Snippets plugin · Target must have the plugin's admin interface accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 3 stars
by orangmuda · poc
https://github.com/orangmuda/CVE-2019-15858

This repository contains a functional exploit for CVE-2019-15858, which combines an unauthenticated options import vulnerability with a stored XSS to achieve remote code execution in the WordPress Woody Ad Snippets plugin (versions 2.2.4 and below). The exploit uploads a malicious JSON payload to trigger the vulnerability and includes a JavaScript-based RCE payload for further exploitation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Woody Ad Snippets plugin <= 2.2.4
No auth needed
Prerequisites: Target must be running vulnerable version of Woody Ad Snippets plugin · WordPress installation must be accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/thomsdev/cve-2019-15858

This repository contains a functional exploit for CVE-2019-15858, which combines an unauthenticated options import vulnerability with a stored XSS to achieve remote code execution in the WordPress Woody Ad Snippets plugin (versions 2.2.4 and below). The exploit uploads a malicious JSON payload and leverages a JavaScript-based RCE to execute arbitrary PHP code.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Woody Ad Snippets plugin <= 2.2.4
No auth needed
Prerequisites: Target must be running vulnerable plugin version · Attacker must be able to reach the WordPress admin interface
devstral-2 · analyzed Feb 23, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/rakhanobe/cve-2019-15858

This repository contains a functional exploit for CVE-2019-15858, targeting the Woody Ad Snippets WordPress plugin (versions 2.2.4 and below). The exploit combines an unauthenticated options import vulnerability with stored XSS to achieve remote code execution by uploading a malicious payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Woody Ad Snippets WordPress plugin (versions <= 2.2.4)
No auth needed
Prerequisites: Target must be running vulnerable plugin version · Attacker must provide a list of target sites and a payload file
devstral-2 · analyzed Feb 23, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/oxctdev/cve-2019-15858

This repository contains a functional exploit for CVE-2019-15858, which combines an unauthenticated options import vulnerability with a stored XSS to achieve remote code execution in the WordPress Woody Ad Snippets plugin (versions 2.2.4 and below). The exploit uploads a malicious JSON payload to trigger the vulnerability and includes a JavaScript-based RCE payload for further exploitation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Woody Ad Snippets plugin <= 2.2.4
No auth needed
Prerequisites: Target running vulnerable WordPress plugin · Ability to send HTTP requests to the target
devstral-2 · analyzed Feb 23, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/onsecuredev/cve-2019-15858

This repository contains a functional exploit for CVE-2019-15858, which combines an unauthenticated options import vulnerability with a stored XSS to achieve remote code execution in the WordPress Woody Ad Snippets plugin (versions 2.2.4 and below). The exploit uploads a malicious JSON payload to trigger the vulnerability and includes a JavaScript-based RCE payload for further exploitation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Woody Ad Snippets plugin (versions 2.2.4 and below)
No auth needed
Prerequisites: Target WordPress site with vulnerable Woody Ad Snippets plugin installed · Payload file in JSON format
devstral-2 · analyzed Feb 23, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/byteofjoshua/cve-2019-15858

This repository contains a functional exploit for CVE-2019-15858, which combines an unauthenticated options import vulnerability with a stored XSS to achieve remote code execution in the WordPress Woody Ad Snippets plugin (versions 2.2.4 and below). The exploit uploads a malicious JSON payload to trigger the vulnerability and includes a JavaScript-based RCE payload for further exploitation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Woody Ad Snippets plugin (versions 2.2.4 and below)
No auth needed
Prerequisites: Target must be running a vulnerable version of the Woody Ad Snippets plugin · Attacker must be able to send HTTP requests to the target WordPress site
devstral-2 · analyzed Feb 23, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/byteofandri/cve-2019-15858

This repository contains a functional exploit for CVE-2019-15858, targeting the Woody Ad Snippets WordPress plugin (versions 2.2.4 and below). The exploit combines an unauthenticated options import vulnerability with a stored XSS to achieve remote code execution by uploading a malicious JSON payload and leveraging a crafted JavaScript file to install a PHP backdoor.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Woody Ad Snippets WordPress Plugin (versions <= 2.2.4)
No auth needed
Prerequisites: Target must be running a vulnerable version of the Woody Ad Snippets plugin · WordPress admin interface must be accessible
devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

WordPress Woody Ad Snippets <2.2.5 - Cross-Site Scripting/Remote Code Execution
HIGHby dwisiswant0,fmunozs,patralos

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.7021
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-306
Status published
Products (1)
webcraftic/woody_ad_snippets < 2.2.5
Published Sep 03, 2019
Tracked Since Feb 18, 2026