Revolution Slider <= 6.6.12 – Author+ Remote Code Execution | CVE 2023-2359

Description

The plugin does not check for valid image files upon import, leading to an arbitrary file upload which may be escalated to Remote Code Execution in some server configurations.

By default, the import functionality is only available to Admin users. However, the plugin may be configured to allow Editor and Author users to use the functionality as well.

Proof of Concept

1. Create a new slider. Set its background image to an image on your server.
2. Save the slider, exit the slider edit UI, and go to Slider Revolution > Overview.
3. In the dropdown menu for the Slider you just created, click "Export".
4. Unzip the export.
5. In the `images` directory, exchange the image file with a file `poc.php` with the following contents:

    <?php echo "pwned"; ?>

6. In the `slider_export.txt` file, replace the path to the image file with the path to the `poc.php` file.
7. Note the value of the `alias` attribute. This will be needed later.
8. Zip the `images` directory and `slider_export.txt` file.
9. On the site, go to Slider Revolution > Overview.
10. Click on "Manual Import" and upload your zip file.
11. Note that the `poc.php` file has been uploaded to `/wp-content/uploads/revslider/<alias>/poc.php`.
12. Ensure that your server is configured to allow PHP execution from the `wp-content/uploads` directory, and visit `http://yoursite.com/wp-content/uploads/revslider/<alias>/poc.php` to see the RCE.