v1.5.3

Bug Fixes

• Fix some modules statically referencing the wp-content directory
• Fix authenticated modules causing the follow_http_redirection option to be set to false
• Fix a null reference when using Hydra via HttpClient#queue_request

New Modules

• Add 53 new modules for BestWebSoft plugin reflected XSS shell upload
• Add Answer My Question 1.3 reflected XSS shell upload
• Add Download Monitor <= 1.9.6 log export
• Add MSMC reflected XSS shell upload
• Add Slideshow Gallery <= 1.6.5 reflected XSS shell upload
• Add Tracking Code Manager reflected XSS shell upload
• Add Ultimate Addons for Visual Composer <= 3.16.11 authenticated stored XSS shell upload
• Add Ultimate Addons for Visual Composer <= 3.16.11 reflected XSS shell upload
• Add Ultimate Form Builder Lite <= 1.3.2 reflected XSS shell upload
• Add User Access Manager reflected XSS shell upload
• Add WordPress Ad Widget <= 2.11.0 - authenticated PHP file download
• Add WordPress Firewall 2 authenticated stored XSS shell upload
• Add flickr-picture-backup <= 0.7 unauthenticated shell upload

v1.5.2

Bug Fixes

• Fixed a bug introduced in v1.5.1 that causes new lines to be removed during payload output

New Modules

• Add Gwolle Guestbook <= 2.1.0 unauthenticated stored XSS shell upload
• Add Membership Simplified <= 1.58 unauthenticated arbitrary file download
• Add Tribulant Slideshow Gallery <= 1.6.4 reflected XSS shell upload
• Add WP-Filebase Download Manager <= 3.4.4 reflected XSS shell upload

v1.5.1

Bug Fixes

• Add gem validation on startup with instructions advising to run bundler if any are missing
• Fix unhandled signal error when using ^C to exit a thread blocking module
• Fix formatting error when displaying some module descriptions

New Modules

• Add Admin Custom Login reflected XSS shell upload
• Add Alpine PhotoTile reflected XSS shell upload
• Add AnyVar 0.1.1 reflected XSS shell upload
• Add Atahualpa Theme reflected XSS shell upload
• Add Google Analytics Dashboard reflected XSS shell upload
• Add Magic Fields <= 1.7.1 reflected XSS shell upload
• Add Mobile App Native unauthenticated shell upload
• Add Mobile Friendly App Builder unauthenticated shell upload
• Add Rockhoist Badges 1.2.2 reflected XSS shell upload
• Add Trust Form reflected XSS shell upload
• Add User Login Log stored XSS shell upload
• Add Webapp Builder unauthenticated shell upload
• Add WordPress 4.2-4.7.2 CSRF DoS module
• Add WordPress Mobile App Builder unauthenticated shell upload
• Add WP-SpamFree Anti-Spam reflected XSS shell upload
• Add Wp2Android unauthenticated shell upload

v1.5

Core / API Changes

• Add a hook that is called before an upload operation starts using the ShellUpload mixin
• Add a hook that is called before downloads start in the FileDownload mixin
• Add ability to register commands to be automatically executed when a session is established (currently supported by the bind_php and reverse_tcp payloads)
• Add custom validation method in the ShellUpload mixin
• Add flag to allow module description text to be treated as pre-formatted text
• Add method for specifying parameters to be used in upload requests made by the ShellUpload mixin
• Add method to allow important usage information to be emitted when a module is loaded
• Add method to override the expected status code of successful uploads in the ShellUpload mixin
• Add the REST API introduced in WordPress 4.7 into the Urls mixin
• Allow the extension name in the ShellUpload mixin to be customised
• Remove module naming restrictions, allowing for the use of dots in file names

CLI Changes

• Add auto-complete suggestions for the gset command
• Add new command: exit

Bug Fixes

• Fix a null reference error occurring when using ^D
• Fix broken CVE links being generated
• Fix custom payload invocation to properly expand the path

New Modules

• Add ACF Frontend display <= v2.0.5 unauthenticated shell upload
• Add Content Slide <= v1.4.2 reflected XSS shell upload
• Add DesignFolio Plus Theme <= v1.2 unauthenticated shell upload
• Add Estatik <= v2.2.5 unauthenticated shell upload
• Add Fast Image Adder <= v1.1 unauthenticated RFI shell upload
• Add Gravity Forms <= 1.9.15.11 reflected XSS shell upload
• Add Gravity Forms <= v1.8.19 unauthenticated shell upload
• Add MailCWP 1.100 shell upload
• Add MailCWP <= v1.99 unauthenticated shell upload
• Add Neosense theme <= v1.7 unauthenticated shell upload
• Add Premium SEO Pack < v1.9 unauthenticated shell upload
• Add Ultimate Product Catalogue <= v3.1.1 unauthenticated shell upload
• Add WP Front-End Repository Manager unauthenticated shell upload
• Add WP Marketplace <= v2.4 file download
• Add WP Marketplace unauthenticated shell upload
• Add Windows Desktop And iPhone Photo Uploader unauthenticated shell upload
• Add WooCommerce Amazon Affiliates < v9.0 unauthenticated shell upload
• Add WordPress v4.7.0 - v4.7.1 content injection module

v1.4.1

Interim release to fix the Recent Backups Arbitrary File Download module, which was broken in the previous release.

v1.4

Core Changes

• Add a new method to the FileDownload mixin which allows for the validation of file contents
• Change modules which accept a local file path as an option value to properly expand the path and allow the use of tilde as a shortcut to the home directory

New Modules

• Add MailChimp for WordPress reflected XSS shell upload
• Add Delete All Comments shell upload
• Add Check Email < 0.5 reflected XSS shell upload
• Add WordPress 4.7 user information disclosure
• Add Instagram Feed <= 1.4.6.2 CSRF stored XSS shell upload
• Add WP Whois Domain reflected XSS shell upload
• Add WP Vault file download
• Add Social Pug <= 1.2.5 reflected XSS shell upload
• Add Content Grabber reflected XSS shell upload
• Add Quiz and Survey Master <= 4.7.8 reflected XSS shell upload
• Add Direct Download for WooCommerce <= 1.15 file download
• Add Brafton Content Importer < 3.4.7 reflected XSS shell upload
• Add Podlove Podcast Publisher <= 2.3.15 reflected XSS shell upload
• Add WangGuard <= 1.7.2 reflected XSS shell upload

Dependencies

• Update Nokogiri to 1.7.0
• Update Slop to 4.4.1
• Update Require All to 1.4
• Update Typhoeus to 1.1.2

v1.3.2

New Modules

• Add WP Google Maps <= 6.3.14 stored XSS shell upload exploit
• Add Ultimate Member <= 1.3.75 shell upload exploit
• Add WooCommerce Email Test <= 1.5 order information disclosure module

v1.3.1

CLI Changes

• Add "show exploits" command
• Add "show auxiliary" command
• Add "help" command
• Fix "version" and "update" switches causing errors when using a symlink to wpxf.rb

Core Changes

• Allow stored XSS modules to override the expected status code for a valid response
• Fix various pieces of yardoc

New Modules

• Add Post Grid <= 2.0.12 File Deletion module
• Add iThemes Security <= 5.6.1 stored XSS shell upload module
• Add All In One WP Security 4.1.4 to 4.1.9 reflected XSS shell upload module
• Add Lightbox <= 1.6.6 reflected XSS module
• Add Quotes Collection <= 2.0.5 reflected XSS module
• Add Caldera Forms <= 1.3.5.3 XSS module

v1.2.1

• Add Portfolio <= 2.1.10 XSS module
• Add MailPoet Newsletters <= 2.7.2 reflected XSS module
• Add Front end file upload and manager Plugin <= 3.9 - Arbitrary File Upload module
• Add Appointment Schedule Booking System stored XSS module

v1.2.0

• Fix errors caused by trying to run WPXF outside of its base directory
• Fix errors caused by unexpected CLI switches
• Fix URIs being generated with duplicate slashes in some scenarios
• Add ability to automatically set options from environment variables prefixed with "wpxf_"
• Add WP Front End Profile privilege escalation module
• Add W3 Total Cache <= 0.9.4.1 reflected XSS module
• Add WooCommerce order disclosure export module
• Add Email Users <= 4.8.3 CSRF bulk e-mail module
• Add Peter's Login Redirect <= 2.9.0 reflected XSS module
• Add WooCommerce Product Addons shell upload module