In this article I will bypass the Wordpress 5.3.1 Upload restrictions by using polymorphic files.

As PoC we will use a DOCX + JAR polyglot file available at: https://github.com/Polydet/polyglot-database/blob/master/files/DOCX%2BJAR.docx

I downloaded the file with wget as below:

Because it is a polymorphic Java and Microsoft Office file, I will run it first with Java, as follows:

Its content is a simple "Hello World" in Java.

We will now open the polymorphic with MS Word to analyze its content:

This done, I will create a copy of the polymorphic, saving it as a JAR file to send it to our WordPress 5.3.1.

As expected, WordPress identifies the file as being prohibited under its security policies and does not allow upload.

However, when uploading the .DOCX file WordPress does not validate its content and allows upload:

In this scenario, an attacker could take advantage of the lack of validation of the file upload restriction in WordPress 5.3.1 to host malicious DOCX files (eg camouflaged in resumes). The victim, upon receiving by other means a spreadsheet containing a macro or even a PowerShell script, would execute malicious DOCX content.

This is the file hosted on WordPress 5.3.1: https://sejalivre.org/poc/wp-content/uploads/2019/12/DOCXJAR.docx