Enable Media Replace < 4.1.3 – Author+ PHP Object Injection | CVE 2023-4643

Description

The plugin unserializes user input via the Remove Background feature, which could allow Author+ users to perform PHP Object Injection when a suitable gadget is present on the blog

Proof of Concept

Step 1: Add the following code to the end of the file located at enable-media-replace/build/shortpixel/replacer/src/Replacer.php to create a gadget chain for simulation:

class EvilTest2
{
    public function __wakeup() : void {
    	die("Arbitrary deserialization");
    }
}

Step 2: Upload a random image media.

Step 3: Navigate to Media > Library and switch to List mode.

Step 4: Select "Copy URL" for your uploaded media and remove the host name, leaving only the directories. For example: /wp-content/uploads/2023/08/WordpressCVE_Test.png

Step 5: Generate an unserialize payload using the Python code below. Replace the removing_bg_file variable with the URL obtained in the previous step. Note that this payload is adapted for use in the PHP file mentioned in Step 1.

removing_bg_file="/wp-content/uploads/2023/08/WordpressCVE_Test.png"
print('O:37:"EnableMediaReplace\Replacer\EvilTest2":1:{s:14:"fileNameBypass";s:%s:"%s";}' % (len(removing_bg_file), removing_bg_file))

Step 6: Create a new Post in Code Editor mode. Clear all content in HTML and paste the generated unserialize payload. Publish the post. Ensure that the post status is set to "publish" in the database. It's recommended to click "Update" again after publishing the post.

Step 7: Return to Media > Library and select the "Remove Background" option for your uploaded media. Mark the "Solid background" option.

Step 8: Click the "Preview" button and wait.

Step 9: Click the "Replace" button and wait.

Step 10: You should see the text "Arbitrary deserialization" appear on the page.