During rigorous testing, a critical vulnerability, CVE-2023-5907, was unearthed in the File Manager plugin, version 6.3 and below. This vulnerability exposes a flaw in the plugin’s logic, allowing an unauthorized user to manipulate the root folder, thereby enabling Arbitrary OS File/Folder Access and Path Traversal.
Main info:
| CVE | CVE-2023-5907 |
| Plugin | File Manager |
| Critical | High |
| All Time | 1 093 265 |
| Active installations | 20,000+ |
| Publicly Published | November 21, 2023 |
| Last Updated | November 21, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A1: Injection |
| PoC | Yes |
| Exploit | Will be later |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5907 https://wpscan.com/vulnerability/f250226f-4a05-4d75-93c4-5444a4ce919e/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| October 3, 2023 | Plugin testing and vulnerability detection in the File Manager plugin have been completed |
| October 3, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 20, 2023 | The author fixed the vulnerability and released the plugin update |
| November 21, 2023 | Registered CVE-2023-5907 |
Discovery of the Vulnerability
During testing, it was discovered that it is possible to change the root folder that the plugin will read and show information to the user. Usually in such plugins there is a restriction on exiting the /var/www/html directory, but in this plugin the root folder can be changed to any operating system directory like /home. And you can also perform the same actions using Path Traversal /var/www/html/../../../etc or /home and so on
Understanding of Path Traversal attack’s
Path Traversal is a type of attack where an attacker navigates beyond the expected boundaries of a file system. In WordPress plugins, especially file management tools, a proper restriction on directory access is crucial. However, in the File Manager plugin, this control is compromised, enabling an intruder to traverse the file system freely.
Real-world example: An attacker successfully manipulates the root folder from /var/www/html to /home or other critical directories, breaching sensitive data
Exploiting the Path Traversal Vulnerability
Exploiting this vulnerability involves manipulating the input parameters to force the plugin to access files and directories outside of its designated scope. By strategically using “../../” in the path, an attacker can reach sensitive areas of the server, potentially compromising the entire system.
POC:
1. Go to settings page (/wordpress/wp-admin/admin.php?page=file-manager-settings)
2. In the “Root Folder Path” setting, change directory to /home or you can use Path Traversal /var/www/html/../../../home or /var/www/html/wordpress/../../../../etc
3. Then navigate to the page of plugin (/wordpress/wp-admin/admin.php?page=file-manager#elf_l1_Lw)
4. You will be able to list the files/folders outside of WordPress root directory
___
The risk associated with this vulnerability is severe. An attacker can access, modify, or delete critical files and folders, leading to a range of consequences such as data theft, unauthorized system changes, or even complete compromise of the web application.
Real-world scenario: An intruder exploits the vulnerability to access configuration files or sensitive user data, causing irreversible damage to the website and its integrity.
Recommendations for Improved Security
- Update to the Latest Version: Ensure the File Manager plugin is updated to the latest version to benefit from security patches.
- Implement Proper Input Validation: The plugin should rigorously validate user
Promptly addressing and patching such vulnerabilities is crucial to maintaining the security and integrity of WordPress sites. Users and developers alike play pivotal roles in ensuring the robustness of the WordPress ecosystem.
#WordPressSecurity #PathTraversal #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
