CVE-2021-38314

This PoC exploits an unauthenticated sensitive information disclosure vulnerability in Redux Framework by chaining MD5-based key generation and remote code verification to leak sensitive data via WordPress admin-ajax.php.

The exploit leverages predictable AJAX action names derived from MD5 hashes of the site URL to retrieve sensitive information, including active plugins, PHP version, and an unsalted MD5 hash of WordPress authentication keys. The PoC automates the process by generating the required hashes and querying the vulnerable endpoints.

The repository contains a functional Python exploit for CVE-2021-38314, which targets the Gutenberg Template Library & Redux Framework plugin for WordPress. The exploit retrieves sensitive information by leveraging predictable AJAX actions based on MD5 hashes of the site URL.

This repository contains a functional PHP exploit for CVE-2021-38314, which leverages predictable AJAX actions in the Redux Framework plugin to disclose sensitive information such as active plugins, PHP version, and unsalted hashes of WordPress authentication keys.

The repository contains a functional Python script that exploits CVE-2021-38314, an unauthenticated AJAX action vulnerability in the Gutenberg Template Library & Redux Framework plugin for WordPress. The exploit generates predictable AJAX action keys using MD5 hashing and checks for vulnerability by sending crafted requests to the target.

The exploit leverages predictable AJAX action names derived from MD5 hashes of the target URL to retrieve sensitive information, including active plugins, PHP version, and unsalted MD5 hashes of WordPress authentication keys. It automates the process of generating the required hashes and querying the vulnerable endpoints.

This PoC exploits an unauthenticated sensitive information disclosure vulnerability in Redux Framework by generating a predictable hash and fetching sensitive data via an AJAX endpoint. The script automates the process of retrieving the disclosure code from Redux's verification server.