WP Meta SEO < 4.5.5 - Author+ PHAR Deserialization
CVE-2023-1381

8.8HIGH

Key Information:

Vendor: Wordpress
Status: WP Meta Seo
Vendor: CVE Published:; 10 April 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The WP Meta SEO plugin for WordPress, prior to version 4.5.5, contains a vulnerability that allows the manipulation of image files without valid path verification. This flaw can be exploited to trigger a PHAR deserialization issue, which in certain environments, may lead to remote code execution through a crafted payload. Such vulnerabilities pose significant security risks, enabling attackers to execute arbitrary code on the server hosting the vulnerable plugin.

Affected Version(s)

WP Meta SEO 0 < 4.5.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-1381 - Proof of Concept

References

https://wpscan.com/vulnerability/f140a928-d297-4bd1-8552-...

exploitvdb-entrytechnical-description

https://blog.wpscan.com/uncovering-a-phar-deserialization...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Apr 10, 2023
👾
Exploit known to exist
Apr 10, 2023
Vulnerability published
Apr 10, 2023
Vulnerability Reserved
Mar 13, 2023

Credit

Alex Sanford

WPScan