During the security assessment of the Mmm Simple File List plugin, a critical vulnerability was unearthed in versions up to 2.3. This vulnerability allowed an attacker to bypass the plugin’s directory restrictions, potentially accessing and listing files outside the WordPress root directory. This issue could be exploited by a user with Subscriber privileges.
Main info:
| CVE | CVE-2023-4297 |
| Plugin | Mmm Simple File List plugin |
| Critical | Very High |
| Vulnerable sites | 23 700 |
| Publicly Published | November 07, 2023 |
| Last Updated | November 07, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A1: Injection |
| PoC | Yes |
| Exploit | Will be later |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4297 https://wpscan.com/vulnerability/9ff85b06-819c-459e-90a9-6151bfd70978/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| July 17, 2023 | Plugin testing and vulnerability detection in the Mmm Simple File List plugin have been completed |
| July 17, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 5, 2023 | The author has closed a plugin |
| November 7, 2023 | Registered CVE-2023-4297 |
Discovery of the Vulnerability
When testing the plugin, an opportunity was found to bypass directories in the plugin’s shortcode and view which files are in a particular OS folder. There is no ban on exiting the wordpress root directory. This can all be done through a user with Subscriber privileges
Understanding of LFI attack’s
LFI, or Local File Inclusion, is a web application vulnerability that allows an attacker to include files on a server through the web browser. In the context of the Mmm Simple File List plugin, LFI meant that an attacker could access files outside the expected directory, breaching the plugin’s intended file access limitations.
Exploiting the LFI Vulnerability
The LFI vulnerability in the Mmm Simple File List plugin could be exploited by manipulating the plugin’s shortcode parameters. By modifying these parameters, an attacker could traverse directories and gain access to files located in unintended locations. This technique could potentially lead to unauthorized access to sensitive files, including system configuration files, databases, or even critical application data.
POC shortcode:
[MMFileList folder=”../../../../../../../../../../home” format=”table” types=”” class=”” headings=””]
___
The Mmm Simple File List LFI vulnerability posed a significant risk to websites using this plugin. In real-world scenarios, a malicious user with Subscriber privileges could leverage this vulnerability to:
- Access sensitive configuration files, which might contain credentials, API keys, or other confidential information.
- View and potentially exfiltrate critical data stored outside the web root directory.
- Gain insights into the server’s file structure, potentially identifying other targets for exploitation.
This could result in data breaches, loss of confidential information, or even compromise the entire web server.
Recommendations for Improved Security
To enhance security and prevent LFI vulnerabilities in WordPress plugins, developers should:
- Implement proper input validation and output encoding to restrict file inclusion to legitimate locations.
- Enforce strict access control to ensure that only authorized users can access the plugin’s functionality.
- Regularly update the plugin to address known vulnerabilities and enhance overall security.
Website administrators should also ensure they keep their plugins up-to-date and exercise caution when granting user privileges, especially for plugins that handle file management.
In conclusion, the CVE-2023-4297 vulnerability in the Mmm Simple File List plugin highlights the importance of robust security practices in WordPress plugin development and usage. By addressing LFI vulnerabilities promptly, developers and website administrators can help protect their sites and sensitive data from potential exploitation.
#WordPressSecurity #LFI #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
