A critical vulnerability, identified as CVE-2023-46205, has been discovered in the Brainstorm Force Ultimate Addons for WPBakery Page Builder plugin. This vulnerability allows an attacker to perform a path traversal attack, which could lead to PHP local file inclusion. If exploited successfully, this can result in the execution of arbitrary PHP code on the server and potentially complete system control. The vulnerability affects Ultimate Addons for WPBakery Page Builder: from version n/a through version 3.19.14.
Vulnerability Details
The improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability exists because the affected versions of the Ultimate Addons plugin for WPBakery Page Builder do not properly verify and sanitize user-supplied input before processing it. As a result, an attacker can craft a request containing a malicious payload to traverse directories and read the contents of sensitive files on the server.
Upon further analysis, this vulnerability can be exploited to include local PHP files, leading to the potential execution of arbitrary PHP code on the server.
The vulnerability can be exploited with a simple HTTP GET request similar to the one shown below
GET /wp-content/plugins/Ultimate_VC_Addons/params/ultimate_spacing/ultimate_spacing.php?template=../../../../../../../../../../../etc/passwd HTTP/1.1
In this case, the malicious payload is ../../../../../../../../../../../etc/passwd which traverses the file system to access the /etc/passwd file, a sensitive file that contains basic user information on Unix-based systems.
Original References
The vulnerability was first disclosed by an independent security researcher and has been assigned CVE-2023-46205 by MITRE. Additional details about the vulnerability can be found in the NIST National Vulnerability Database (NVD) entry: CVE-2023-46205.
Exploit Details
To successfully exploit this vulnerability, an attacker must have access to a website running the vulnerable version of the Ultimate Addons for WPBakery Page Builder plugin. The attacker needs to craft an HTTP request containing a malicious payload that will cause the plugin to perform a directory traversal, leading to PHP local file inclusion.
Once the attacker has successfully executed arbitrary PHP code on the server, they can potentially escalate their privileges, leading to complete control over the server and all its contents. This could include access to sensitive data, unauthorized modification of content, and potentially the ability to execute additional attacks on other systems.
The following steps should be taken to mitigate the vulnerability
1. Update the Ultimate Addons for WPBakery Page Builder plugin to the latest version (3.19.15 or later). The Brainstorm Force team has released a patch addressing this vulnerability, and it is highly recommended that users update immediately to protect their websites.
2. If updating the plugin is not possible, create and configure a .htaccess file to limit or block access to the ultimate_spacing.php file that is instrumental in exploiting this vulnerability.
3. Ensure that all other plugins, themes, and WordPress itself are up-to-date with the latest security patches.
Regularly review and monitor web server logs for suspicious activity or signs of exploitation.
5. Implement appropriate network segmentation and access controls to limit an attacker's ability to move laterally within the network or access sensitive information.
Conclusion
This vulnerability highlights the importance of diligently updating all plugins, themes, and the core WordPress installation. Attackers are constantly scanning websites for known vulnerabilities, and outdated plugins represent an easy entry point. By staying informed about security updates and promptly applying patches, website owners can help protect their users and information from compromise.
Timeline
Published on: 05/17/2024 09:15:09 UTC
Last modified on: 05/17/2024 18:36:05 UTC