Slider Revolution < 6.6.19 – Author+ Insecure Deserialization leading to RCE | CVE 2023-6528

Description

The plugin does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote Code Execution.

Proof of Concept

1. Make sure to configure the plugin so Authors can access its settings
2. Create a new slider.
3. Save and export the slider.
4. Unzip the slider.
5. Create custom_animations.txt file.
6. Use phpggc WordPress/RCE2 to generate deserialization payload with the following command.
 ./phpggc WordPress/RCE2 system "touch /var/www/html/pwned.txt"
7. Copy the serialized payload to custom_animations.txt
8. Zip the slider_export.txt and custom_animations.txt.
9. On the site, go to Slider Revolution > Overview.
10. Click on "Manual Import" and upload your zip file. Ignore the import error if any.
11. Visit the site/pwned.txt and notice that the file has been created confirming RCE.