A critical vulnerability, designated as CVE-2024-7315, has been discovered in the WPvivid plugin, widely used for migration, backup, and staging in WordPress with over 500,000 installations. This flaw exposes highly sensitive data, including database passwords and site configuration details, by exploiting a specific directory (./wp-content/wpvividbackups/wpvivid_log/). If left unpatched, the vulnerability can lead to complete site compromise through brute force attacks on password hashes or direct access to sensitive information.

CVECVE-2024-7315
PluginMigration, Backup, Staging – WPvivid < 0.9.106
CriticalHigh
All Time8 972 678
Active installations500 000+
Publicly PublishedAugust 19, 2024
Last UpdatedAugust 19, 2024
ResearcherDmitrii Ignatyev
OWASP TOP-10A3: Sensitive Data Exposure
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7315
https://wpscan.com/vulnerability/456b728b-a451-4afb-895f-850ddc4fb589/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

July 25, 2024Plugin testing and vulnerability detection in the Migration, Backup, Staging – WPvivid have been completed
July 25, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 19, 2024Registered CVE-2024-7315

Discovery of the Vulnerability

During a security audit of WPvivid, researchers found a major flaw in how the plugin stores logs. The directory containing these logs is publicly accessible and can be exploited by unauthorized individuals. By accessing the wpvivid_log directory, attackers can retrieve logs that contain critical information about the site’s structure, file system, and, in some cases, database credentials. This vulnerability is particularly dangerous because it doesn’t require authentication, meaning attackers can exploit it without logging into the site.

The vulnerability is further compounded by the fact that the logs are created using a unique identifier (uniqid) that is based on predictable time-based values. Through algorithmic iteration, an attacker can calculate the uniqid, access the log files, and potentially read backup data or database configurations.

Understanding of Unauthenticated Sensitive Data Exposure attack’s

Sensitive data exposure vulnerabilities occur when applications inadvertently reveal private information to unauthorized users. In the case of WordPress, such data could include database credentials, API keys, or other critical configuration details stored within plugin files or logs. These vulnerabilities are particularly dangerous as they can be exploited without requiring login credentials, allowing attackers to bypass authentication mechanisms entirely.

A similar vulnerability occurred in other WordPress plugins where log files or backup directories were left exposed. Attackers who gain access to this sensitive data can launch brute-force attacks, extract hashed passwords, or directly access critical files on the server. WPvivid’s vulnerability follows this pattern, where improper handling of logs allows attackers to read sensitive information and exploit it for further attacks.

Exploiting the Unauthenticated Sensitive Data Exposure Vulnerability

Exploiting CVE-2024-7315 involves accessing the wpvivid_log directory in the WordPress installation’s wp-content/wpvividbackups/ path. An attacker does not need any authentication to access this directory, making it a prime target for reconnaissance. The logs stored here contain valuable information, including database names, usernames, and in some cases, passwords.

POC:

1) The plugin is being installed
2) Run the first scan
3) After learning the first start time, you can find the desired uniqid. By algorithmic iteration, which depends only on time. This way you can read the logs of the plugin and then read the backups of the database or files.
(The plugin does not use sufficient randomness in the filename that is created when generating a backup, which could be bruteforced by attackers to leak sensitive information about said backups.)

____

The impact of CVE-2024-7315 is far-reaching. The exposure of database passwords can result in complete control over the WordPress installation. Attackers could modify the site, exfiltrate sensitive user data, or introduce backdoors to maintain long-term access. For e-commerce websites or those handling sensitive customer data, this vulnerability could lead to severe consequences, including data breaches, financial loss, and reputational damage.

In a real-world scenario, an attacker could exploit this vulnerability by scraping publicly accessible logs from a large number of WordPress sites using WPvivid. Once sensitive data, such as database passwords, is obtained, the attacker could launch automated attacks on these sites, causing widespread compromise and further escalating their control over the compromised systems.

Recommendations for Improved Security

To protect against CVE-2024-7315, it is imperative that administrators update WPvivid to the latest version as soon as a patch is released. Plugin developers should implement stricter access controls on directories like wpvivid_log, ensuring that sensitive log files are not publicly accessible. Additionally, developers must improve the handling of uniqids, using more secure and unpredictable methods to generate these values, making it harder for attackers to predict log file locations.

Administrators can further protect their sites by implementing web application firewalls (WAF) to block unauthorized access to sensitive directories. Regularly reviewing plugin settings and performing security audits to detect any potential vulnerabilities before they are exploited is also recommended. Finally, database passwords should be rotated regularly, and strong password policies should be enforced to minimize the impact of potential breaches.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-7315, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #SensitiveDataExposure #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

ARTYOM K.
CVE-2024-7315 – Migration, Backup, Staging – WPvivid – Unauth Sensitive Data Exposure and Database password leak – POC

Create your CleanTalk account



By signing up, you agree with license. Have an account? Log in.


Leave a Reply

Your email address will not be published. Required fields are marked *