Media library assistant wordpress plugin rce and lfi Vulnerability / Exploit
Exploits / Vulnerability Discovered : 2023-10-09 |
Type : webapps |
Platform : php
This exploit / vulnerability Media library assistant wordpress plugin rce and lfi is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Media Library Assistant Wordpress Plugin - RCE and LFI
# Date: 2023/09/05
# CVE: CVE-2023-4634
# Exploit Author: Florent MONTEL / / @Pepitoh / Twitter @Pepito_oh
# Exploitation path:
# Exploit:
# Vendor Homepage:
# Software Link:
# Version: < 3.10
# Tested on: 3.09
# Description:
# Media Library Assistant Wordpress Plugin in version < 3.10 is affected by an unauthenticated remote reference to Imagick() conversion which allows attacker to perform LFI and RCE depending on the Imagick configuration on the remote server. The affected page is: wp-content/plugins/media-library-assistant/includes/mla-stream-image.php
Steps to trigger conversion of a remote SVG
Create a remote FTP server at ftp://X.X.X.X:21 (http will not work, see references)
Host 2 files :
- malicious.svg
- malicious.svg[1]
For LFI, getting wp-config.php:
Both malicious.svg and malicious.svg[1] on the remote FTP:
Then trigger conversion with:
# Directory listing or RCE:
To achieve Directory listing or even RCE, it is a little more complicated.
Use exploit available here:
# Note
Exploitation will depend on the policy.xml Imagick configuration file installed on the remote server. All exploitation paths and scripts have been performed with a default wordpress configuration and installation (Wordpress has high chance to have the default Imagick configuration).
Media library assistant wordpress plugin rce and lfi