WordPress Plugin Vulnerabilities
Revolution Slider <= 6.6.12 - Author+ Remote Code Execution
Description
The plugin does not check for valid image files upon import, leading to an arbitrary file upload which may be escalated to Remote Code Execution in some server configurations.
By default, the import functionality is only available to Admin users. However, the plugin may be configured to allow Editor and Author users to use the functionality as well.
Proof of Concept
1. Create a new slider. Set its background image to an image on your server.
2. Save the slider, exit the slider edit UI, and go to Slider Revolution > Overview.
3. In the dropdown menu for the Slider you just created, click "Export".
4. Unzip the export.
5. In the `images` directory, exchange the image file with a file `poc.php` with the following contents:
<?php echo "pwned"; ?>
6. In the `slider_export.txt` file, replace the path to the image file with the path to the `poc.php` file.
7. Note the value of the `alias` attribute. This will be needed later.
8. Zip the `images` directory and `slider_export.txt` file.
9. On the site, go to Slider Revolution > Overview.
10. Click on "Manual Import" and upload your zip file.
11. Note that the `poc.php` file has been uploaded to `/wp-content/uploads/revslider/<alias>/poc.php`.
12. Ensure that your server is configured to allow PHP execution from the `wp-content/uploads` directory, and visit `http://yoursite.com/wp-content/uploads/revslider/<alias>/poc.php` to see the RCE.
Affects Plugins
Fixed in 6.6.13 References
CVE
Classification
Type
RCE
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Marco Frison
Submitter
Marco Frison
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-05-22 (about 11 months ago)
Added
2023-05-24 (about 11 months ago)
Last Updated
2023-05-26 (about 11 months ago)
WPScan 