WordPress <= 4.6.1 RCE via specially crafted .mo language file

Vulnerability Impact
Arbitrary code execution with the following two conditions:

  • An attacker can upload your own configuration language file, or the file containing the language themes, plug-ins folder
  • Website attacker constructs using good language file to translate the site, themes, plugins, etc.

Here’s an example of the real scenario: the attacker change a plug-in language files, and change the plug-in code so that when the plug-in initialization file using malicious plug-language translation, and then install the plug-in to the attacker by inducing Administrator trigger the vulnerability.

Vulnerability Analysis

In the call create_function, we adopted }the original closing function, add what we want to perform before using /* the unnecessary parts commented later, even if we do not have the final call to create a good function, we add new content also remains to be carried out . This is so because the create_functioninternal use of the eval code to execute, we see that the PHP manual on:


So because of this feature, if we can control create_function the $code parameters, it is possible with the execution of arbitrary code.

Now, look at vulnerability code in wp-includes/pomo/translations.php:

PHP’s create_function() function internally performs zend_eval_stringl(), so an attacker can use } close the anonymous function and execute arbitrary code in the process of creating the anonymous function 🙂


Plural-Forms: nplurals=1; plural=n);}eval($_GET[c]);/*;
I provide crafted .mo language file, you can set default language to English AU, then access to the following URL and the phpinfo() function will be executed.





The crafted .mo language file: https://drive.google.com/open?id=0B4YO1KtVWS0naVNUZ2dhaXFGb2c


Before the official release patches recommend that administrators enhance safety awareness, do not use unsolicited font files, plugins, themes and so on.