WordPress Plugin Vulnerabilities
Enable Media Replace < 4.1.3 - Author+ PHP Object Injection
Description
The plugin unserializes user input via the Remove Background feature, which could allow Author+ users to perform PHP Object Injection when a suitable gadget is present on the blog
Proof of Concept
Step 1: Add the following code to the end of the file located at enable-media-replace/build/shortpixel/replacer/src/Replacer.php to create a gadget chain for simulation: class EvilTest2 { public function __wakeup() : void { die("Arbitrary deserialization"); } } Step 2: Upload a random image media. Step 3: Navigate to Media > Library and switch to List mode. Step 4: Select "Copy URL" for your uploaded media and remove the host name, leaving only the directories. For example: /wp-content/uploads/2023/08/WordpressCVE_Test.png Step 5: Generate an unserialize payload using the Python code below. Replace the removing_bg_file variable with the URL obtained in the previous step. Note that this payload is adapted for use in the PHP file mentioned in Step 1. removing_bg_file="/wp-content/uploads/2023/08/WordpressCVE_Test.png" print('O:37:"EnableMediaReplace\Replacer\EvilTest2":1:{s:14:"fileNameBypass";s:%s:"%s";}' % (len(removing_bg_file), removing_bg_file)) Step 6: Create a new Post in Code Editor mode. Clear all content in HTML and paste the generated unserialize payload. Publish the post. Ensure that the post status is set to "publish" in the database. It's recommended to click "Update" again after publishing the post. Step 7: Return to Media > Library and select the "Remove Background" option for your uploaded media. Mark the "Solid background" option. Step 8: Click the "Preview" button and wait. Step 9: Click the "Replace" button and wait. Step 10: You should see the text "Arbitrary deserialization" appear on the page.
Affects Plugins
References
CVE
Classification
Type
OBJECT INJECTION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Jonatas Souza Villa Flor
Submitter
Jonatas Souza Villa Flor
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-09-21 (about 7 months ago)
Added
2023-09-21 (about 7 months ago)
Last Updated
2023-09-21 (about 7 months ago)