When testing the plugin, the vulnerability “Insecure direct object references (IDOR)” was discovered, which allows you to view someone else’s folder through a specialized request to the server and download files of someone else without his consent, even if he did not share the file. All users and their files that they have ever downloaded are at risk. This vulnerability can be carried out from the user with the lowest privileges – “Subscriber”, if there is a page with the plugin’s shortcode on your site, or on behalf of the user “Contributor” to create a page with this plugin.
|User Private Files – WordPress File Sharing Plugin
|October 9, 2023
|October 9, 2023
|A5: Broken Access Control
|Will be later
|Plugin Security Certification by CleanTalk
|August 14, 2023
|Plugin testing and vulnerability detection in the User Private Files – WordPress File Sharing Plugin plugin have been completed
|August 14, 2023
|I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
|September 26, 2023
|The author has released a fix update
|October 9, 2023
Discovery of the Vulnerability
While conducting a comprehensive evaluation of the User Private Files plugin, a significant security vulnerability was identified – “Insecure Direct Object References (IDOR).” This vulnerability allows malicious actors to access someone else’s folders, download files without consent, and potentially expose sensitive data. Even users who have never shared their files are at risk. Remarkably, this security flaw can be exploited by users with minimal privileges, such as “Subscribers,” provided that a page with the plugin’s shortcode exists on the website or by “Contributors” when creating a page with the plugin.
Understanding of IDOR attack’s
“Insecure Direct Object References (IDOR)” is a security issue where an attacker can manipulate input and gain unauthorized access to data or resources. In the context of this vulnerability, attackers can craft specialized requests to the server to access folders and download files belonging to other users, even without explicit sharing permissions.
Exploiting the IDOR
Exploiting the IDOR vulnerability in the User Private Files plugin involves manipulating requests to access and download files from other users’ folders. Attackers, even with minimal privileges, can craft requests to bypass access controls and obtain sensitive files. This can be accomplished through targeted URL manipulation or by creating pages with the plugin and subsequently accessing files linked to those pages.
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=—————————9502138512374627775493398790
Cookie: wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1691948630%7C6nakHLX7V9a8tsLj73IR18n6O2i78yRcGA3zDOchEqj%7C42aa9939bd3f232972786fa53b21ec360ce77c3a4eeab81598e87bb459445128; thc_time=1693728697; wp-settings-1=libraryContent%3Dbrowse%26siteorigin_panels_setting_tab%3Dwelcome%26hidetb%3D0; wp-settings-time-1=1691260835; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1691948630%7C6nakHLX7V9a8tsLj73IR18n6O2i78yRcGA3zDOchEqj%7Ce08aa71d0671f82a0540ae982432a502c621e3332be543dcf8daef2f78a255d3
Content-Disposition: form-data; name=”fldr_id”
Content-Disposition: form-data; name=”upf_nonce”
Content-Disposition: form-data; name=”action”
The risks associated with CVE-2023-4836 are substantial. An attacker who successfully exploits this vulnerability can:
- Access sensitive files and data belonging to other users.
- Download files without the owner’s consent, even if they were never shared.
- Potentially expose confidential information.
- Compromise the privacy and security of user data.
In a real-world scenario, imagine an attacker leveraging this vulnerability to access and download files from unsuspecting users on a website utilizing the User Private Files plugin. By manipulating URLs or creating pages with the plugin, the attacker can access files that were never meant to be shared or accessed by unauthorized users. This could lead to data breaches, privacy violations, and reputational damage to the website.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2023-4836 and enhance the overall security of websites using the User Private Files plugin, consider the following recommendations:
- Update the plugin: Ensure the User Private Files plugin is updated to the latest version, which should include a patch to address this vulnerability.
- Access controls: Implement robust access controls and authorization mechanisms to prevent unauthorized access to user files and data.
- Security testing: Conduct thorough security testing and vulnerability assessments to identify and rectify IDOR vulnerabilities proactively.
- User awareness: Educate website users about privacy and the importance of not sharing sensitive files through public pages or links.
- Least privilege principle: Limit the capabilities and permissions of user roles to reduce the potential impact of a compromised account.
By adhering to these recommendations, website administrators can significantly reduce the risk of IDOR vulnerabilities and enhance the overall security posture of their WordPress installations.
#WordPressSecurity #IDOR #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your websiteDMITRII I.