Security is paramount in the world of WordPress plugins, and we are excited to bring you the latest on the “File Manager Pro — Filester” plugin version 1.8.1. In this article, we delve into the recent security improvements in this plugin, highlighting its enhanced safety. We’ll also touch on a previous vulnerability, CVE-2023-4827, which has now been addressed.
Received the “Plugin Security Certification” badge from CleanTalk.
Additional Information
It’s advisable to verify the most up-to-date information on the plugin developer’s website.
Plugin Security Certification by CleanTalk
“File Manager Pro — Filester” is a versatile WordPress plugin designed to provide a comprehensive file management system within your WordPress dashboard. It empowers users to efficiently upload, organize, and manage files and directories, making it an indispensable tool for website administrators.
Key features of “File Manager Pro — Filester” include:
Previously, the “File Manager Pro” plugin was associated with a vulnerability known as CVE-2023-4827, which pertained to Remote Code Execution via CSRF. However, we are pleased to inform you that the plugin developers have been proactive in addressing this issue. With the release of version 1.8.1, the vulnerability CVE-2023-4827 has been thoroughly patched, ensuring that your website remains secure.
Enhanced Security Measures
The “File Manager Pro — Filester” plugin version 1.8.1 introduces enhanced security measures to protect your WordPress website. These measures encompass a range of security aspects, including but not limited to:
Protection against common web application vulnerabilities.
Regular security audits and code reviews.
Prompt addressing of reported security concerns.
Staying up-to-date with WordPress security best practices.
Conclusion
The “File Manager Pro — Filester” plugin version 1.8.1 is now more secure than ever, with the CVE-2023-4827 vulnerability effectively mitigated. Website administrators can confidently utilize this plugin to streamline file management within their WordPress websites. Security remains a top priority, and the plugin’s developers are dedicated to maintaining a safe environment for users.
Please ensure you update to the latest version (1.8.1) to benefit from these security enhancements. As always, we recommend regular updates to keep your WordPress plugins and themes secure.
Note: The date and version information may change over time. It is advisable to verify the latest details on the plugin developer’s website.
In the world of WordPress, there are hundreds of thousands of plugins, and security plays a crucial role in ensuring the smooth operation of your website. In this article, we present an overview of the “Simple Author Box” plugin version 6.3.1 and some exciting news: it has undergone rigorous security testing and has earned the CleanTalk “Plugin Security Certification” badge.
Received the “Plugin Security Certification” badge from CleanTalk.
Additional Information
It’s advisable to verify the most up-to-date information on the plugin developer’s website.
Plugin Security Certification by CleanTalk
In addition to automated security testing, a comprehensive manual review of the “Simple Author Box” plugin version 6.3.1 was conducted. Our team of security (Penetration Testers) experts meticulously analyzed the plugin’s codebase and functionalities. The result is clear: after this thorough review, we found no vulnerabilities or weaknesses that could pose a threat to WordPress websites. Website administrators can confidently use this plugin, knowing it enhances functionality without compromising security.
Simple Author Box: A Brief Overview
“Simple Author Box” is a popular WordPress plugin designed to display author information at the end of each article on your website. It’s a handy tool for maintaining transparency and connecting authors with readers.
Among the key features of “Simple Author Box” are:
Displaying the author’s avatar.
Showing the author’s name.
Linking to the author’s profiles on social networks.
Displaying a brief author biography.
Security First
One of the most critical aspects of any WordPress plugin is its security. We understand that WordPress users expect the plugins they install on their websites to be reliable and secure against vulnerabilities. Therefore, “Simple Author Box” version 6.3.1 has been carefully tested for the following security categories:
SQL Injections: It checks if the plugin is vulnerable to executing unwanted SQL queries to the database. SQL injections can be exploited by malicious actors to gain access to or modify data.
XSS Attacks (Cross-Site Scripting): It verifies whether the plugin prevents the injection of malicious scripts that run on the client-side. XSS attacks can be used to steal user data or redirect to phishing websites.
CSRF Attacks (Cross-Site Request Forgery): It ensures that the plugin is not susceptible to attacks where attackers can perform undesirable actions on behalf of authenticated users without their knowledge.
Authentication Vulnerabilities: It checks if there are any weak points in the authentication system that could be exploited for unauthorized access to administrative functions.
Authentication Bypass Vulnerabilities: It checks if there are any ways to bypass authentication mechanisms and gain access to protected resources.
Privilege Escalation Vulnerabilities: It verifies if there are vulnerabilities that could allow attackers to obtain additional privileges on the site.
Buffer Overflow Vulnerabilities: It checks whether the plugin is susceptible to buffer overflow, which could lead to the execution of malicious code.
Denial-of-Service (DoS) Vulnerabilities: It examines whether there are any methods that could be used to deny service to the website or server, such as by generating a large number of requests.
Data Leakage Vulnerabilities: It checks for any unauthorized disclosure of sensitive data or user information.
Insecure Dependencies: It verifies whether the plugin uses outdated or insecure libraries and dependencies that could pose security risks.
Code Execution Vulnerabilities: It checks for vulnerabilities that could allow the execution of malicious code on the server.
Privilege Escalation Vulnerabilities: It examines whether the plugin could allow one user to access data or functionality intended for other users.
File Unauthorized Access Vulnerabilities: It verifies that the plugin does not allow unauthorized access to files and server resources.
Insufficient Injection Protection: It checks whether the plugin protects against injection attacks to prevent unwanted consequences.
Information Leakage Vulnerabilities: It verifies whether there are ways to leak sensitive information, such as passwords or user data, through the plugin.
CleanTalk “Plugin Security Certification”
We are proud to announce that “Simple Author Box” version 6.3.1 has been assessed and certified by CleanTalk, one of the leading experts in plugin security for WordPress. This certification badge confirms that the plugin adheres to high security standards and is suitable for use on your website.
Conclusion
“Simple Author Box” version 6.3.1 is a reliable and secure plugin that will help you maintain transparency and connect with your authors and readers. It has undergone thorough security testing and has received certification from CleanTalk’s “Plugin Security Certification.” You can install it with confidence, knowing that your website will be protected against vulnerabilities.
Choose “Simple Author Box” for your WordPress site, and you can be sure of its reliability and security.
During testing of the plugin, a CSRF vulnerability was discovered in action=rename, which can lead to denial of service and theft of the password from the database, thereby allowing an attacker to get inside the web application and gain a foothold in it. Replace any data in the database and do everything that an administrator can do. After logging into the database, he can create a new user and attach a hashed password to it. And through the administrator to implement RCE remote code execution
Plugin testing and vulnerability detection in the File Manager Pro access plugin have been completed
August 25, 2023
I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
September 8, 2023
The author has released a fix update
September 8, 2023
Registered CVE-2023-4827
Discovery of the Vulnerability
In the ever-evolving landscape of web security, the discovery of vulnerabilities is a critical aspect of keeping online systems safe. Recently, a noteworthy vulnerability, identified as CVE-2023-4827, was uncovered in File Manager Pro, specifically in versions prior to 1.8. This vulnerability poses a significant risk to web applications utilizing this plugin.
The vulnerability was first identified during a routine security assessment of the File Manager Pro plugin. It was categorized as a Cross-Site Request Forgery (CSRF) vulnerability, which, when exploited, could lead to remote code execution (RCE) on the affected web application.
Understanding of CSRF attack’s
Before delving into the specifics of this vulnerability, it’s crucial to understand what CSRF is and how it operates. CSRF, or Cross-Site Request Forgery, is a type of attack where an attacker tricks a user into executing actions on a web application without their consent. Essentially, it involves the exploitation of a user’s authenticated session to perform actions without their knowledge.
To illustrate this, imagine a scenario where an authenticated user is tricked into clicking a seemingly innocent link on a malicious website. This link sends a request to a target web application where the user is logged in, executing actions as if they initiated them themselves.
Exploiting the CSRF
In the case of CVE-2023-4827, the vulnerability was discovered in the “action=rename” feature of File Manager Pro. This vulnerability allows an attacker to craft a malicious CSRF request that forces an authenticated user to rename a file. While this may seem relatively benign at first glance, it has the potential for devastating consequences.
By exploiting this CSRF vulnerability, an attacker can initiate a series of actions leading to a remote code execution (RCE) scenario. They can gain control over the web application, potentially extracting sensitive information from the database, altering data, or even creating new users with hashed passwords. The attacker can effectively assume the privileges of an administrator and manipulate the application as they see fit.
The potential risks associated with this vulnerability are significant. In a real-world scenario, an attacker could use CSRF to exploit File Manager Pro, gain access to a web application’s database, and compromise its security. They could then exfiltrate sensitive data, modify critical settings, or inject malicious code, potentially causing data breaches or service disruptions. Moreover, the attacker could establish persistent access, allowing them to maintain control over the application, leading to long-term security concerns.
Recommendations for Improved Security
To mitigate the risk associated with CVE-2023-4827 and similar CSRF vulnerabilities, several security measures should be considered:
Update and Patch: It is crucial to keep all software, including plugins and themes, up to date. Developers often release patches to address security vulnerabilities.
CSRF Protection: Implement robust CSRF protection mechanisms, such as anti-CSRF tokens, to ensure that requests are only executed when initiated by legitimate users.
Security Audits: Regular security audits and penetration testing can help identify and address vulnerabilities before they can be exploited.
Least Privilege Principle: Restrict user privileges to the minimum required for their tasks to limit potential damage in the event of a breach.
In conclusion, CVE-2023-4827 serves as a stark reminder of the importance of maintaining vigilance in the ever-evolving landscape of cybersecurity. By understanding CSRF and taking proactive steps to secure web applications, developers and administrators can minimize the risks associated with such vulnerabilities and protect their systems from potential exploitation.
Use CleanTalk solutions to improve the security of your website
Dmitrii i.
If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.
During a security assessment of the FileOrganizer plugin, a medium vulnerability was uncovered in versions up to and including 1.0.2. This vulnerability allows an attacker to manipulate the plugin’s root folder, potentially compromising the security of the entire system. The plugin does not restrict functionality on multisite instances, allowing site admins to gain full control over the server.
Plugin testing and vulnerability detection in the FileOrganizer access plugin have been completed
July 12, 2023
I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
September 3, 2023
The author has not released an update
September 3, 2023
Registered CVE-2023-3664
Discovery of the Vulnerability
During testing, it was discovered that it is possible to change the root folder that the plugin will read and show information to the user. Usually in such plugins there is a restriction on exiting the /var/www/html directory, but in this plugin the root folder can be changed to any operating system directory like /home. And you can also perform the same actions using Path Traversal /var/www/html/../../../etc or /home and so on
Understanding of Path Traversal attack’s
Path Traversal is a type of vulnerability that occurs when an application allows users to navigate outside the intended directory structure. In the case of FileOrganizer, the plugin lacks proper validation, enabling an attacker to traverse directories beyond the expected boundaries.
For instance, if the plugin expects files to be within the /var/www/html directory, an attacker can use path traversal techniques to access directories like /home, /etc, or even ../../../../../, which could lead to unauthorized access to sensitive files and system resources.
Exploiting the Path Traversal
Exploiting this vulnerability involves crafting malicious requests that contain directory traversal sequences, such as “../” or “%2e%2e%2f”, to trick the plugin into accessing files and directories outside its intended scope. This allows the attacker to view, modify, or exfiltrate sensitive files.
POC:
1. Go to settings page of this plugin
2. Change directory to /home or you can use Path Traversal /var/www/html/../../../home or /var/www/html/wordpress/../../../../etc
3. Then navigate to the page of plugin
4. You will be able to list the files/folders outside of WordPress root directory
Potential Risks and Real-World Impact
The impact of this vulnerability is significant:
Unauthorized Data Access: Attackers can access and potentially steal sensitive files, including configuration files, user data, and other confidential information.
System Compromise: An attacker could use this vulnerability to compromise the entire system, execute arbitrary code, or manipulate critical files.
Data Loss: Files may be deleted, altered, or accessed without authorization, leading to data loss and system instability.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2023-3664 and enhance the security of the FileOrganizer plugin, the following measures are strongly advised:
Regular Updates: Keeping software, applications, and plugins up to date helps patch known vulnerabilities that attackers could exploit for Path Traversal.
Input Validation: Implement thorough input validation and sanitization to prevent path traversal attacks and unauthorized file access.
Access Controls: Implement proper access controls to restrict file access based on user privileges.
Web Application Firewalls (WAFs) and Security Plugins: Implementing WAFs or Security Plugins can help detect and prevent Path Traversal attempts by filtering malicious inputs. You can use a very powerful and multifunctional Security & Malware scan by CleanTalk, which will protect your site from such attacks and your site will always be readable
By addressing the path traversal vulnerability in the FileOrganizer plugin and following these security recommendations, website owners can significantly reduce the likelihood of security breaches and protect the integrity of their data and systems.
Use CleanTalk solutions to improve the security of your website
Dmitrii i.
If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.
A severe security loophole has come to light in the Prevent files / folders access plugin, triggering concerns over the safety of WordPress websites. This vulnerability, tracked as CVE-2023-4238, opens the door to remote code execution through file uploads. Our testing revealed a startling scenario: an attacker can potentially upload a PHP file to the private directory at /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory.
The plugin’s inclusion of a function for privilege elevation is noteworthy. If an attacker obtains < Admin privileges, they could exploit ordinary users to facilitate this unauthorized upload.
Plugin testing and vulnerability detection in the Prevent files / folders access plugin have been completed
July 13, 2023
I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 27, 2023
The author has released a fix update
August 31, 2023
Registered CVE-2023-4238
Discovery of the Vulnerability
During our meticulous examination of the plugin, we identified a critical flaw that exposes websites to remote code execution. This vulnerability allows an attacker to upload malicious PHP files to a specific directory, providing a gateway for executing arbitrary commands on the target system.
Understanding of Remote Code Execution attack’s
Remote Code Execution (RCE) is a sophisticated cyber attack that poses significant threats to the security of software applications, web servers, and online platforms. This type of attack enables malicious actors to execute arbitrary code on a target system, often leading to a complete compromise of the system’s functionality and data.
How Remote Code Execution Works:
Vulnerability Exploitation: RCE attacks typically exploit vulnerabilities in an application’s code, often resulting from poor input validation, inadequate user authentication, or insecure configurations. Attackers seek ways to inject their own malicious code into the target system.
Command Execution: Once the attacker succeeds in injecting malicious code, they can execute arbitrary commands on the target system. These commands might include shell commands, operating system functions, or other actions that can compromise the system’s security.
Unauthorized Access: RCE allows attackers to gain unauthorized access to the server environment, enabling them to manipulate files, databases, and other resources. This unauthorized access can result in data breaches, data loss, and unauthorized control of the system.
Exploiting the Remote Code Execution
In the context of the Prevent files / folders access plugin, an attacker can exploit the lack of proper validation and restrictions on file uploads. By injecting malicious PHP code into a file, they can upload it to the private directory. Upon execution, this file can trigger unauthorized commands, thereby compromising the entire web application.
POC:
1) Need to go to /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory
2) Then upload a file with the php extension
3) Follow the link http://your_host/wordpress/wp-content/uploads/protectedfiles/{filename}.php
POC request:
POST /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory HTTP/1.1
Host: your_host
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
The gravity of this vulnerability cannot be understated. An attacker who successfully leverages this RCE vulnerability gains the ability to execute operating system commands, potentially leading to the complete compromise of the web application, data theft, and unauthorized control of the server environment.
Data Breaches: Attackers can exfiltrate sensitive data from compromised systems. This might include personal information, financial data, proprietary business information, and more.
System Compromise: RCE attacks can lead to complete control of the target system. Attackers can modify files, install malware, and even escalate their privileges to gain control over the entire server.
Malicious Payload: Attackers can deliver payloads that create backdoors or install malware, allowing them to maintain persistent access to the compromised system even after the initial attack.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2023-4238 and enhance overall security, we strongly recommend the following measures:
Regular Updates: Keeping software, applications, and plugins up to date helps patch known vulnerabilities that attackers could exploit for RCE.
Input Validation: Thoroughly validate and sanitize all user inputs to prevent injection attacks and unauthorized code execution.
Secure Coding Practices: Developers should follow secure coding practices, use proper input validation, avoid executing user-supplied code, and implement principle of least privilege.
Web Application Firewalls (WAFs) and Security Plugins: Implementing WAFs or Security Plugins can help detect and prevent RCE attempts by filtering malicious inputs. You can use a very powerful and multifunctional Security & Malware scan by CleanTalk, which will protect your site from such attacks and your site will always be readable
User Education: Educate users about the risks of executing code from untrusted sources and encourage them to avoid opening suspicious emails or downloading files from unknown sources.
By addressing the RCE vulnerability in the Prevent files / folders access plugin and following these security recommendations, website owners can significantly reduce the likelihood of security breaches and protect the integrity of their web applications.
Use CleanTalk solutions to improve the security of your website
Dmitrii i.
If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.
In the pursuit of robust website security, a profound vulnerability has emerged during the assessment of WordPress plugins. A striking vulnerability within the Lock User Account plugin was discovered, heralding a serious threat. This vulnerability exposes an avenue for malicious attackers to enact an untraceable lockout of all user accounts, capitalizing on a Cross-Site Request Forgery (CSRF) vulnerability.
Plugin testing and vulnerability detection in the Advanced File Manager plugin have been completed
August 4, 2023
I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 12, 2023
The author has removed his plugin from WordPress library
August 22, 2023
Registered CVE-2023-4307
Discovery of the Vulnerability
In the process of testing the plugin, which makes it possible to block the account of any user, a CSRF vulnerability was found, which allows the administrator to block all accounts when clicking on a malicious link. At the same time, the administrator will not know about it. There is no _wpnonce check in the plugin
Understanding of CSRF attack’s
Cybercriminals can craft a malicious link that, when clicked by an unwitting administrator, invokes unauthorized actions within the Lock User Account plugin. The impact is astounding – the attacker can swiftly lock all user accounts without the administrator’s knowledge. The lack of an essential _wpnonce check in the plugin facilitates this alarming exploit. CSRF – OWASP TOP-10
Exploiting the CSRF vulnerability
Administrators unknowingly executing the malicious link could inadvertently freeze every WordPress user’s account. The implications are severe, rendering the website inaccessible to users and disrupting the digital ecosystem.
P.s. YOU CAN ADD ANY OTHER INPUT DATA WITH THE NAME=”USERS” AND THE VALUE=”YOUR_MAX_USERS_NUMBER”
Potential Risks and Real-World Impact
The CSRF vulnerability within the Lock User Account plugin introduces grave risks and potential scenarios:
Unauthorized Account Blocking: An attacker could craft a malicious link and trick the administrator into clicking on it unknowingly. This would lead to the administrator unintentionally blocking all user accounts on the website.
Mass Account Disruption: As all user accounts get blocked, it could lead to a mass disruption of user access to the website. This might cause significant inconvenience to users and damage the reputation of the website.
Denial of Service (DoS): By blocking all accounts, the website may effectively experience a DoS situation, preventing legitimate users from accessing their accounts and using the website’s services.
Recommendations for Improved Security
Safeguard your WordPress environment against CVE-2023-4019 and fortify your digital stronghold:
Delete plugin: Since the plugin has been removed from the wordpress library, it is necessary to remove it. Current version will be vulnerable to this attack
Implement _wpnonce Verification:: Enhance the plugin’s defenses by incorporating robust _wpnonce verification. This step acts as a formidable barrier against CSRF attacks, thwarting unauthorized actions.
Regular Security Audits: Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
Educate Administrators: Educate administrators about the nature of CSRF attacks and the importance of cautious clicking. Raising awareness among your team can prevent inadvertent actions that could compromise site security.
By disseminating this crucial information throughout the WordPress community, we can collectively bolster the security of countless websites. Share this knowledge to ensure that administrators are well-equipped to defend against the CVE-2023-4307 vulnerability and to maintain the safety of their WordPress sites.
Use CleanTalk solutions to improve the security of your website
Dmitrii i.
If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.
In a profound exploration of WordPress plugins, a chilling revelation has come to light. During meticulous testing, a high-impact vulnerability was unearthed within the Media from FTP plugin, specifically versions preceding 11.17. This alarming flaw exposes an avenue for attackers to exploit Path Traversal techniques, enabling unauthorized access to sensitive files and documents. The plugin does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases.
Plugin testing and vulnerability detection in the Advanced File Manager plugin have been completed
July 26, 2023
I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
July 31, 2023
The author has released a fix update
August 14, 2023
Registered CVE-2023-4019
Discovery of the Vulnerability
During testing of the plugin, a vulnerability was discovered in the mediafromftp-update-ajax-action, which allows downloading local folders outside of /var/www/html, which gives attackers a huge potential. They can download any local files in the media and then view them for example /etc/passwd, /etc/hosts and other local files/documents. This is possible on behalf of a user with Author rights. By default, the Author is not authorized to view local files and it cannot interact with them directly, viewing local files is very critical for the application owner. To eliminate this vulnerability, I ask you to validate the path that the user enters and if it does not contain a root directory, then do forbidden
Understanding of Path Traversal attack’s
Path Traversal, a notorious hacking technique, is at the core of this vulnerability. It involves manipulating file paths to breach directory boundaries and access files beyond the intended scope. Malicious actors exploit this to access files and directories that are otherwise restricted. Path Traversal OWASP TOP-10
Exploiting the Path Traversal vulnerability
Exploiting the CVE-2023-4019 vulnerability empowers attackers to venture outside the restricted directory of /var/www/html. This enables them to download local files, even those residing in sensitive system directories.
POC:
1) Go to /wordpress/wp-admin/admin.php?page=mediafromftp-search-register
2) Select any file from the media text list below
3) Click “Update Media”
4) Intercept request with action=mediafromftp-update-ajax-action
5) Сhange new_url to local dir like /etc/passwd or /etc/hosts
POC request:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: your_host
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
The Path Traversal vulnerability within the Media from FTP plugin introduces grave risks and potential scenarios:
Data Exposure: Attackers can access and potentially download sensitive files containing confidential information, jeopardizing data privacy and integrity.
Malicious Use of Stolen Data: Extracted data from unauthorized file access could be used maliciously, undermining the integrity of the entire system.
System Disruption: Access to sensitive files could lead to unintended modifications, potentially disrupting the functioning of the WordPress installation.
Recommendations for Improved Security
Safeguard your WordPress environment against CVE-2023-4019 and fortify your digital stronghold:
Immediate Plugin Update: Upgrade the Media from FTP plugin to version 11.17 or above. This update addresses the Path Traversal vulnerability and enhances security.
Input Validation: Developers should incorporate robust input validation mechanisms to ensure that user-provided data is sanitized and restricted to authorized directories.
Regular Security Audits: Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
Path Validation: Implement robust path validation mechanisms to ensure that user-entered paths remain within the authorized directory scope.
Empower the WordPress community with the knowledge of CVE-2023-4019. Share this article far and wide to ensure website owners take proactive measures against this critical vulnerability.
Use CleanTalk solutions to improve the security of your website
Dmitrii i.
If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.
In the realm of WordPress plugins, a severe security vulnerability has been unveiled. A comprehensive testing process revealed a critical flaw within the Advanced File Manager plugin, specifically versions up to 5.1.1. This vulnerability exposes a significant security lapse that can potentially allow unauthorized access to files and folders through Path Traversal techniques.
Plugin testing and vulnerability detection in the Advanced File Manager plugin have been completed
July 13, 2023
I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 9, 2023
The author has released a fix update
August 14, 2023
Registered CVE-2023-3814
Discovery of the Vulnerability
During testing, it was discovered that it is possible to change the root folder that the plugin will read and show information to the user. Usually in such plugins there is a restriction on exiting the /var/www/html directory, but in this plugin the root folder can be changed to any operating system directory like /home. And you can also perform the same actions using Path Traversal /var/www/html/../../../etc or /home and so on
Understanding of Path Traversal attack’s
Path Traversal is a hacking technique that involves manipulating file paths to access files and directories beyond the intended scope. Hackers can exploit this vulnerability to break out of the restricted directory and gain access to sensitive files and directories residing in other parts of the system. Path Traversal OWASP TOP-10
Exploiting the Path Traversal vulnerability
Exploiting this Path Traversal vulnerability within the Advanced File Manager plugin could empower attackers to change the root folder, allowing them to view, access, and potentially download files from locations that are off-limits under normal circumstances.
POC:
1. Go to settings page (/wordpress/wp-admin/admin.php?page=file_manager_advanced_controls)
2. In the “Public Root Path” setting, change directory to /home or you can use Path Traversal /var/www/html/../../../home or /var/www/html/wordpress/../../../../etc
3. Then navigate to the page of plugin (/wordpress/wp-admin/admin.php?page=file_manager_advanced_ui#elf_l1_Lw)
4. You will be able to list the files/folders outside of WordPress root directory
Potential Risks and Real-World Impact
The Path Traversal vulnerability within the Advanced File Manager plugin introduces grave risks and potential scenarios:
Data Exposure: Attackers can access and potentially download sensitive files containing confidential information, jeopardizing data privacy and integrity.
Malicious Code Injectionto OS folder’s: By manipulating file paths, hackers may insert malicious code into system files, leading to the compromise of the entire website.
Escalation of Privileges: Exploiting this vulnerability could provide attackers with unauthorized administrative access, leading to unauthorized control and manipulation of the WordPress environment.
Recommendations for Improved Security
To fortify your WordPress website against the CVE-2023-3814 vulnerability and enhance overall security, consider implementing the following preventive measures:
Immediate Plugin Update: Upgrade to Advanced File Manager plugin version 5.1.2 or higher. This update addresses the Path Traversal vulnerability and strengthens security.
Input Validation: Developers should incorporate robust input validation mechanisms to ensure that user-provided data is sanitized and restricted to authorized directories.
Regular Security Audits: Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
User Awareness: Educate administrators about the risks of clicking on unknown links or visiting suspicious websites, emphasizing the importance of vigilance.
By addressing the Path Traversal vulnerability within the Advanced File Manager plugin and adhering to these security recommendations, you can safeguard your WordPress website from unauthorized file and folder access, mitigating potential breaches and preserving the confidentiality of your data.
Use CleanTalk solutions to improve the security of your website
Dmitrii i.
If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.
In case Security Malware Scanner detects a suspicious file, the file is sent for analysis and, earlier this analysis was done manually by our team.
For 3 months now the files have been processed by our AI and the average analysis time has decreased from 36 hours to 10 minutes. However, we continue to double-check the results manually in order to guarantee perfect quality. This allowed us to raise the accuracy of the analysis and increase its speed tremendously.
And this is just the beginning. The AI-driven machine analysis data will be used to train the algorithm further and improve the scanner’s performance.
During a thorough security assessment of the Upload Media By URL plugin for WordPress, a concerning medium-level vulnerability has been uncovered in versions prior to 1.0.8. This vulnerability poses a significant risk to your website’s security and calls for immediate action! If exploited, this vulnerability allows attackers to potentially upload files containing malicious code directly to your WordPress site, exposing your users to harmful scripts and attacks.
Plugin testing and vulnerability detection in the Upload Media By URL plugin have been completed
July 10, 2023
I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
July 17, 2023
The author has eliminated the vulnerability and patched his plugin
August 2, 2023
Registered CVE-2023-3720
Discovery of the Vulnerability
During a security assessment of the Upload Media By URL plugin for WordPress, a medium vulnerability was identified in versions prior to 1.0.8. The plugin lacked Cross-Site Request Forgery (CSRF) protection when handling file uploads, allowing attackers to trick logged-in administrators into uploading files on their behalf, including HTML files containing malicious JavaScript code that could execute when accessed by users with the unfiltered_html capability.
Understanding Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) is an attack that forces an authenticated user to execute unwanted actions on a web application without their knowledge or consent. In this case, attackers can exploit the absence of CSRF protection in the Upload Media By URL plugin to create a crafted HTML file hosted on an external server. If a privileged user, such as an administrator, unknowingly accesses the external link, the malicious HTML file can trigger the upload of harmful files onto the WordPress system.
Exploiting the Cross-Site Request Forgery (CSRF)vulnerability
By crafting a malicious HTML file that includes a CSRF payload, attackers can entice administrators with upload privileges to visit the external link. Once the link is accessed, the malicious file exploits the lack of CSRF protection in the plugin to perform unauthorized actions, effectively tricking the administrator into uploading harmful files to the WordPress site.
The CSRF vulnerability in the Upload Media By URL plugin poses severe risks to website administrators and users alike. Beyond the technical implications, it also serves as a potential tool for social engineering attacks. Real-world scenarios include:
Stored Cross-Site Scripting (XSS) Attacks:: Attackers could upload HTML files containing embedded XSS payloads, compromising the security and privacy of users accessing the affected pages, and potentially exposing sensitive data or credentials.In almost all cases , Stored XSS is used to steal cookies , thereby Account Takeover.
Malware Distribution: Malicious files, such as infected scripts or executables, could be uploaded, leading to the dissemination of malware among website visitors or affecting the overall integrity of the website.
Unauthorized Content Injection: Attackers might use this vulnerability to inject unauthorized content into the website, damaging the site’s reputation, or defacing it with inappropriate or harmful materials.
Social Engineering Exploits: Since the plugin allows the upload of files, attackers could craft seemingly innocent files (e.g., images, documents) with misleading names or enticing content to lure unsuspecting users into downloading or opening the files, facilitating social engineering attacks.
Recommendations for Improved Security
To mitigate the risks associated with this vulnerability and enhance overall security, the following measures are strongly advised:
Immediate Plugin Update: Website administrators should update the Upload Media By URL plugin to the latest version, which includes CSRF protection and patches this vulnerability.
Implement CSRF Protection: Plugin developers should include robust CSRF protection mechanisms when processing sensitive actions, such as file uploads, to prevent unauthorized access.
Regular Security Audits: Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
User Privilege Restriction: Implement strict access controls to ensure that users can only access information that they are authorized to view based on their roles and permissions.
User Awareness: Educate website administrators and users about the risks of sharing sensitive information and the importance of strong, unique passwords.
By addressing the CSRF vulnerability in the Upload Media By URL plugin and implementing these security recommendations, website owners can significantly reduce the likelihood of security breaches, protect their site’s integrity, and safeguard against social engineering exploits.
Use CleanTalk solutions to improve the security of your website
Dmitrii i.
If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.
