This plugin allows authors to replace media while retaining it’s URL and ID to facilitate a smoother swapping of images without changing too much information.
A vulnerability exists such that an author can use the plugin to delete a media that does not belong to them. They can upload a new image with the same name as the deleted media to modify the contents in posts that do not belong to them.
PoC
Setup
As an admin, upload a media file
We can see the newly created file owned by admin called flower.jpg
The plugin exposes new functionality at the bottom which allows you to replace the image
As the owner of the image, the admin also has the option of deleting the image Delete permanently
We now create a blog post that points to the image
There is now a post by the admin which contains the image which is owned by the admin
Exploit
Now we log in as an author.
An author can also upload media files, and the plugin functionality is also exposed to them
As the author, we can still see the image file uploaded by the admin, but we can no longer delete the file since we do not own it.
Now we upload our own image
Using the plugin, we click Replace Image and we select the image that is owned by the admin
The plugin functions overwrites our image with the image that is owned by the admin.
If we go back to the media page, our original uploaded image is gone, and we’re only left with the image the admin uploaded
If we now view the ownership of the image, its the author
The author can now delete the image, and upload another image and name it as flower.jpg
And now the admin blog post will pull this image instead
Conclusion
This vulnerability allows the author to take ownership of media files now owned by them.
By exploiting this vulnerability, the author can delete images, and upload their own images to hijack posts that do not belong to them