In the process of rigorous testing, a critical vulnerability was unearthed in the Frontend File Manager Plugin, up to version affected, tagged with CVE-2023-5105. This vulnerability opens a path traversal avenue, allowing an attacker to download operating system files, including sensitive ones like wp-config.php. The severity lies in the potential compromise of the entire domain, especially alarming as this can be exploited by a user with Editor privileges.
Main info:
| CVE | CVE-2023-5105 |
| Plugin | Frontend File Manager Plugin |
| Critical | Very High |
| All Time | 178 210 |
| Active installations | 1000+ |
| Publicly Published | November 13, 2023 |
| Last Updated | November 13, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A3: Sensitive Data Exposure |
| PoC | Yes |
| Exploit | Will be later |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5105 https://wpscan.com/vulnerability/d40c7108-bad6-4ed3-8539-35c0f57e62cc/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| September 21, 2023 | Plugin testing and vulnerability detection in the Frontend File Manager Plugin plugin have been completed |
| September 21, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 6, 2023 | The author fixed the vulnerability and released the plugin update |
| November 13, 2023 | Registered CVE-2023-5105 |
Discovery of the Vulnerability
During testing of the plugin, a vulnerability was discovered that allows you to bypass the logic through file downloads and download OS files from the system, including php files. It turns out that an attacker can download a file wp-config.php connect to the database and take over the domain completely, which will lead to terrible consequences. This is very critical. Since this can be done on behalf of the Editor, which does not have privileges to work with files and code directly
Understanding of Path Traversal attack’s
Path traversal, also known as directory traversal, is a web security vulnerability that allows attackers to access files and directories outside the web server’s root directory. In the context of WordPress, this vulnerability could be exploited to navigate beyond the intended file paths, potentially revealing sensitive information or executing malicious actions. In the case of the Frontend File Manager Plugin, this meant an unauthorized user could download critical files from the server.
Exploiting the LFI Vulnerability
Exploiting the path traversal vulnerability in the Frontend File Manager Plugin involves manipulating file download requests to traverse directories. By crafting specific requests, an attacker could bypass restrictions, allowing them to download files such as wp-config.php, which contains sensitive information, including database credentials. This exploit can be executed under the guise of an Editor, a role not typically endowed with direct file and code manipulation privileges.
POC:
1) Create new post with this shortcode – [ffmwp]
2) Go to new post and upload any file
3) After that go to main page of plugin for users http://your_site/wordpress/wp-admin/edit.php?post_type=wpfm-files
4) Click to “Edit” button
5) Change wpfm_dir_path and wpfm_file_url to /var/www/html/wordpress/wp-config.php
6) Go back to the main page http://your_site/wordpress/wp-admin/edit.php?post_type=wpfm-files and click “Download”
___
The consequences of this vulnerability are severe. An attacker exploiting CVE-2023-5105 could:
- Access wp-config.php, potentially gaining control over database credentials.
- Execute arbitrary code, leading to a complete takeover of the WordPress site.
- Compromise the entire domain, leading to data loss, unauthorized access, and potential reputational damage.
In a real-world scenario, an Editor-level user could unwittingly become a vector for a malicious actor to compromise the entire WordPress site.
Recommendations for Improved Security
To mitigate the risks associated with path traversal vulnerabilities in WordPress plugins:
- Developers should implement robust input validation and sanitize user inputs to prevent directory traversal attacks.
- Regularly update the Frontend File Manager Plugin to patches addressing known vulnerabilities.
- Administrators should apply the principle of least privilege, limiting the capabilities of user roles, even trusted ones like Editors.
Promptly addressing and patching such vulnerabilities is crucial to maintaining the security and integrity of WordPress sites. Users and developers alike play pivotal roles in ensuring the robustness of the WordPress ecosystem.
#WordPressSecurity #PathTraversal #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
