Revolution Slider <= 6.6.12 - Author+ Remote Code Execution

2023-05-2200:00:00

Marco Frison

643

remote code execution

slider revolution

image upload

file manipulation

security vulnerability

php execution

server configuration

0.001 Low

EPSS

Percentile

43.6%

JSON

The plugin does not check for valid image files upon import, leading to an arbitrary file upload which may be escalated to Remote Code Execution in some server configurations. By default, the import functionality is only available to Admin users. However, the plugin may be configured to allow Editor and Author users to use the functionality as well.

1. Create a new slider. Set its background image to an image on your server.
2. Save the slider, exit the slider edit UI, and go to Slider Revolution > Overview.
3. In the dropdown menu for the Slider you just created, click "Export".
4. Unzip the export.
5. In the `images` directory, exchange the image file with a file `poc.php` with the following contents:

    <?php echo "pwned"; ?>

6. In the `slider_export.txt` file, replace the path to the image file with the path to the `poc.php` file.
7. Note the value of the `alias` attribute. This will be needed later.
8. Zip the `images` directory and `slider_export.txt` file.
9. On the site, go to Slider Revolution > Overview.
10. Click on "Manual Import" and upload your zip file.
11. Note that the `poc.php` file has been uploaded to `/wp-content/uploads/revslider/<alias>/poc.php`.
12. Ensure that your server is configured to allow PHP execution from the `wp-content/uploads` directory, and visit `http://yoursite.com/wp-content/uploads/revslider/<alias>/poc.php` to see the RCE.

0.001 Low

EPSS

Percentile

43.6%

JSON

Related for WPEX-ID:A8350890-E6D4-4B04-A158-2B0EE3748E65