The first vulnerability is CVE-2019-8942, which overwrites the post meta entries:
The unsanitized user input is then passed onto wp_update_post(), which doesn't check for non-allowed post meta fields:
The attacker can overwrite the _wp_attached_file post meta-key to their malicious file. At this point, we have exploited CVE-2019-8942. Now that we have control over what we can overwrite in the post meta entries, let's leverage the next vulnerability, CVE-2019-8943, a path traversal vulnerability. Using this vulnerability, we can change the path of our uploaded malicious file from the previously exploited vulnerability (CVE-2019-8942) to the path of our choice for RCE.
The wp_crop_image() function calls the get_attached_file() function without any file path validation. So, the malicious image file uploaded on the server will be passed to the get_attached_file() function at the time the wp_crop_image() function is called (at the time of image crop):
We can exploit this vulnerability to change the path of our uploaded malicious file and save the cropped version of the image in the default themes directory, that is, wp-content/themes/<default_theme>/<cropped-image>.jpg:
As we can see in the preceding screenshot, the malicious image is saved into the default theme folder. Now that our malicious image is in place, we can request for the post so that our PHP payload gets executed, resulting in RCE.