The ubiquity of WordPress as a platform for diverse online initiatives has unfortunately made it a prime target for security breaches. The latest to come under the spotlight is the “Insert or Embed Articulate Content into WordPress” plugin, which is now flagged for a critical Remote Code Execution (RCE) vulnerability. This security loophole, tracked under CVE-2024-5630, jeopardizes websites by allowing arbitrary code execution through seemingly benign ZIP file uploads.
| CVE | CVE-2024-5630 |
| Plugin | Insert or Embed Articulate Content into WordPress < 4.3000000024 |
| Critical | Very High |
| All Time | 124 292 |
| Active installations | 3 000+ |
| Publicly Published | June 27, 2024 |
| Last Updated | June 27, 2024 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5630 https://wpscan.com/vulnerability/538c875f-4c20-4be0-8098-5bddb7aecff4/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| May 17, 2024 | Plugin testing and vulnerability detection in the Insert or Embed Articulate Content into WordPress Trial have been completed |
| May 17, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| June 27, 2024 | Registered CVE-2024-5630 |
Discovery of the Vulnerability
This alarming vulnerability was unearthed during routine security testing aimed at ensuring the integrity of plugins commonly used within the WordPress ecosystem. The flaw specifically exists within the file upload functionality of the plugin, which improperly handles ZIP file contents, allowing for the execution of malicious scripts.
Understanding of RCE attack’s
Remote Code Execution (RCE) is among the most severe types of vulnerabilities, as it permits attackers to execute arbitrary code on the server hosting the WordPress site. This can lead to unauthorized data access, website defacement, and even complete site takeover. Similar vulnerabilities in the past have led to widespread attacks, significantly impacting the digital presence of affected entities.
Exploiting the RCE Vulnerability
The exploitation process involves an attacker, who has access as an author, uploading a ZIP file containing a PHP script disguised within a benign-looking HTML file. Once the ZIP is extracted by the plugin on the server, the malicious script can be accessed via a direct URL, leading to the execution of the embedded PHP code.
POC:
1) Go to http://your_site/wordpress/wp-admin/post-new.php and create new Post 2) Add e-Learning widget inside Page and upload a zip file in which will be two files. First - default HTML file like main.html, Second - PHP file file with name "relay.php" (inside this file will be PHP code) 3) After uploading check URL http://your_site/wordpress/wp-content/uploads/articulate_uploads/{name_of_zip}/cmd.phar?cmd=ls____
The potential risks associated with this vulnerability are vast, ranging from data theft and loss of service to reputational damage and regulatory scrutiny. In real-world scenarios, such vulnerabilities have been exploited to establish persistent access to the victim’s environment, enabling further lateral movements and escalating privileges within the network.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2024-5630, it is crucial for users of the plugin to:
- Immediately update to the latest version that patches this vulnerability.
- Employ rigorous file validation checks on all uploads, especially those that allow executable content.
- Regularly audit and monitor all web activities and file uploads to detect and respond to suspicious actions swiftly.
By taking proactive measures to address RCE vulnerabilities like CVE-2024-5630, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #RCE #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
