WP Meta SEO < 4.5.5 - Author+ PHAR Deserialization

The plugin does not validate image file paths before attempting to manipulate the image files, leading to a PHAR deserialization vulnerability. Furthermore, the plugin contains a gadget chain which may be used in certain configurations to achieve remote code execution.

PoC

1. Use a WordPress instance on PHP 7.x. 2. Create a PHP file create_phar.php with the following code: startBuffering(); $phar->addFromString(‘test.png’, ‘text’); $phar->setStub(“\xff\xd8\xff\n”); $phar->setMetadata(new Evil()); $phar->stopBuffering(); 3. Create the PHAR file poc.phar by running php --define phar.readonly=0 create_phar.php 4. Rename poc.phar to poc.jpg 5. Upload poc.jpg using the Media Editor. Take note of its path within wp-content/uploads 6. Add the following code to the site in order to simulate a gadget: class Evil { public function __wakeup() : void { die(“Arbitrary deserialization”); } } 7. Create or edit a post or page in the block editor. Add an HTML block with the following contents (but replace any parts of the path to poc.jpg as needed for your test server). 8. Without saving the post or page, open the browser console to view network traffic, then click on “Reload Analysis” in the “SEO Page Optimization” section. Notice the admin-ajax request with action=wpms and task=reload_analysis returns with the text “Arbitrary deserialization”, demonstrating the vulnerability.