The WordPress ecosystem is renowned for its vast collection of plugins, but at the same time, it is also prone to vulnerabilities and security issues among these plugins. One such plugin is Forminator, which has been discovered to have an arbitrary file upload vulnerability (CVE-2023-4596) in versions up to, and including, 1.24.6. This vulnerability, if exploited, allows unauthenticated attackers to upload arbitrary files on the server hosting the WordPress site with the affected Forminator plugin, consequently leading to potential remote code execution.

Details of Vulnerability

As mentioned earlier, the vulnerable plugin is Forminator for WordPress, which is primarily used to create custom forms, polls, and quizzes. The specific function having the vulnerability is upload_post_image() in the affected versions. The vulnerability lies in the fact that the file type validation occurs after the file has been uploaded to the server, rather than before the upload. This makes it possible for an unauthenticated attacker to exploit this vulnerability and upload arbitrary files to the server.

Here is a code snippet from the upload_post_image() function that demonstrates this vulnerability

function upload_post_image( $file, $path, $url, $allowed, $entry_id = false )
{
  ...
  // File is uploaded to the server without validating file type
  move_uploaded_file( $file['tmp_name'], $path . $new_name );
  
  // File type is validated after the file has been uploaded
  if (  < count( $allowed ) && ! in_array( $ext, $allowed ) ) {
    unlink( $path . $new_name );
    return [ 'error' => __( "This file type is not allowed. Please try another.", "forminator" ) ];
  }
  return [ 'url' => $url . $new_name, 'path' => $path . $new_name ];
}

Original References

- CVE Database - The original CVE entry detailing the vulnerability.
- Forminator Plugin on WordPress - The official page for the Forminator plugin on the WordPress plugins repository.
- Vulnerability Disclosure - A detailed disclosure of the vulnerability, along with technical information, mitigation steps, and proof-of-concept exploit code.

Exploit Details

To exploit this vulnerability, an attacker can send a POST request to the target WordPress site with the uploaded file and trigger the upload_post_image() function. Since the validation of the file type happens after the file has been uploaded to the server, the malicious file will be uploaded irrespective of the file type. This might lead to remote code execution if the attacker uploads a file that can execute on the server.

Mitigation

The best way to mitigate this vulnerability is by updating the Forminator plugin to the latest version, which contains a patch to fix the vulnerability. Users who cannot update the plugin immediately can temporarily disable the plugin to prevent potential exploitation.

Conclusion

CVE-2023-4596 is a critical vulnerability in the Forminator plugin for WordPress, allowing unauthenticated attackers to upload arbitrary files to the affected server. WordPress site owners using Forminator should take the necessary precautions by updating the plugin or temporarily disabling it until an update can be applied. Keeping the plugin up-to-date and following security best practices will help ensure your WordPress site remains protected against such threats.

Timeline

Published on: 08/30/2023 02:15:00 UTC
Last modified on: 09/01/2023 18:17:00 UTC