Arbitrary Code Execution in WPS Office

Vulnerability

The vulnerability is an improper path validation vulnerability in promecefpluginhost.exe within Kingsoft WPS Office on Windows. Versions from 12.2.0.13110 to 12.2.0.17115 (exclusive) are affected. The issue stems from an unsanitized parameter that was not addressed in the previous patch for CVE-2024-7262, allowing an attacker to specify a path to an arbitrary Windows library (DLL) that gets loaded by the vulnerable component [1].

Exploitation

An attacker needs local access to the system or the ability to trick a user into opening a crafted document or performing an action that triggers the vulnerable code path in WPS Office. The attacker supplies a malicious DLL file with a crafted path via the unsanitized parameter. The application loads this DLL, executing its code in the context of the WPS Office process [1].

Impact

Successful exploitation allows the attacker to load and execute an arbitrary Windows library (DLL) within the WPS Office process. This can lead to arbitrary code execution, enabling the attacker to escalate privileges, install malware, or perform other actions on the victim's system with the privileges of the logged-on user [1].

Mitigation

The issue is fixed in WPS Office version 12.1.0.17119, which was released to address CVE-2024-7262 but did not fully resolve the problem; a more comprehensive fix is expected in future versions. Users should upgrade to the latest version of WPS Office available from the vendor's official website [1]. No workaround or KEV listing has been published at this time.