We recently discovered a serious remote code execution (RCE) vulnerability in the popular JetEngine WordPress plugin. The vulnerability lies in the fact that this plugin doesn't adequately ensure that uploaded files are not executable. As a result, this issue could allow an attacker to upload malicious files and execute arbitrary code on the victim's machine. The vulnerability has been assigned the identifier CVE-2023-1406.

In this post, we will dive deep into the technical details of this vulnerability, the vulnerable code snippets, and discuss how you can exploit this vulnerability to attack an unsuspecting user.

Affected Versions

JetEngine WordPress plugin versions before 3.1.3.1 are vulnerable to this RCE vulnerability.

Exploit Details

The vulnerability primarily results from the inadequate file validation logic within the JetEngine plugin. When a user uploads a file, the plugin should verify whether the file is executable or not. However, the plugin fails to do so, and this allows attackers to upload and execute malicious files on the victim's machine.

Here's a code snippet that demonstrates the inadequate file validation logic in the vulnerable JetEngine plugin:

function jet_engine_upload_file() {
    check_ajax_referer( 'jet_engine_upload', '_nonce' );

    // ... more code ...

    // The issue is that this code block only checks for MIME types, not file extensions.
    if ( ! in_array( $type, get_allowed_mime_types() ) ) {
        wp_send_json_error( array( 'message' => __( 'Sorry, this file type is not permitted for security reasons.', 'jet-engine' ) ) );
    }

    // ... more code ...

}

The above code snippet shows the jet_engine_upload_file() function, which is responsible for handling file uploads. The problem lies in the check for allowed MIME types – it doesn't consider file extensions when verifying whether a file is executable or not. This oversight enables attackers to upload malicious files that have valid MIME types but dangerous file extensions.

To exploit this vulnerability, an attacker needs to follow these steps

1. Create a malicious file with an executable extension (e.g., .php). Make sure the file's MIME type matches one of the allowed MIME types in the JetEngine plugin (e.g., image/jpeg).

2. Edit the file's metadata to manipulate the MIME type to be one of the allowed MIME types in the JetEngine plugin. Tools like Exiftool can be used for this purpose.

Upload the malicious file using the JetEngine plugin's file upload feature.

4. Access the malicious file by navigating to its URL. This will execute the arbitrary code within the file and cause it to run on the victim's machine.

Mitigation

To mitigate this vulnerability, users should update their JetEngine WordPress plugin to version 3.1.3.1 or later. The developers of JetEngine have fixed this vulnerability in this release and improved the file validation logic to properly verify file extensions when determining whether a file is executable or not.

Here's a link to the official JetEngine plugin page, where you can download the latest version and find more information about the plugin: JetEngine WordPress plugin

Conclusion

The CVE-2023-1406 vulnerability demonstrates the importance of proper file validation and how a simple oversight can lead to severe and critical RCE vulnerabilities. Keep your plugins up-to-date and ensure you're using the latest versions to prevent vulnerabilities like this from affecting your WordPress website.

Timeline

Published on: 04/10/2023 14:15:00 UTC
Last modified on: 04/24/2023 13:15:00 UTC