Similar Posts < 3.1.6 - Admin+ Arbitrary PHP Code Execution
The plugin allow high privilege users to execute arbitrary PHP code in an hardened environment (ie with DISALLOW_FILE_EDIT, DISALLOW_FILE_MODS and DISALLOW_UNFILTERED_HTML set to true) via the 'widget_rrm_similar_posts_condition' widget setting of the plugin.
Vendor was notified in July 2021, the issue was then escalated to the WP plugins team in August and October due to their unresponsiveness.
Proof of Concept
- Add the Widget of the plugin (e.g via /wp-admin/widgets.php)
- Put the following payload (replacing WEBROOT by the real value) in the "Show only if page" setting of the widget: file_put_contents('/WEBROOT/info.php', '<?php phpinfo(); ?>').
- Save the settings and click on the Update button in the Widgets page
- Then go to /info.php (or whatever path was set above) to access the created info.php