🐝

WP Plugin Bug CVE-2024-4873

Overview

This plugin allows authors to replace media while retaining it’s URL and ID to facilitate a smoother swapping of images without changing too much information.
A vulnerability exists such that an author can use the plugin to delete a media that does not belong to them. They can upload a new image with the same name as the deleted media to modify the contents in posts that do not belong to them.

PoC

Setup

As an admin, upload a media file
notion image
notion image
We can see the newly created file owned by admin called flower.jpg
The plugin exposes new functionality at the bottom which allows you to replace the image
As the owner of the image, the admin also has the option of deleting the image Delete permanently
notion image
We now create a blog post that points to the image
notion image
notion image
notion image
notion image
There is now a post by the admin which contains the image which is owned by the admin
notion image

Exploit

Now we log in as an author.
notion image
An author can also upload media files, and the plugin functionality is also exposed to them
notion image
As the author, we can still see the image file uploaded by the admin, but we can no longer delete the file since we do not own it.
notion image
Now we upload our own image
notion image
Using the plugin, we click Replace Image and we select the image that is owned by the admin
notion image
The plugin functions overwrites our image with the image that is owned by the admin.
notion image
If we go back to the media page, our original uploaded image is gone, and we’re only left with the image the admin uploaded
notion image
If we now view the ownership of the image, its the author
notion image
The author can now delete the image, and upload another image and name it as flower.jpg
notion image
And now the admin blog post will pull this image instead
notion image

Conclusion

This vulnerability allows the author to take ownership of media files now owned by them.
By exploiting this vulnerability, the author can delete images, and upload their own images to hijack posts that do not belong to them