CVE-2023-5199: Local File Inclusion to Remote Code Execution Vulnerability in the PHP to Page Plugin for WordPress (up to version .3)

Introduction: Security researchers have recently disclosed a vulnerability, tracked as CVE-2023-5199, in the PHP to Page plugin for WordPress. The plugin allows you to add PHP code to your WordPress pages and posts easily. However, versions up to and including .3 of the plugin are susceptible to Local File Inclusion (LFI) that can lead to Remote Code Execution (RCE), which essentially allows anyone with subscriber-level access to include local files and potentially execute code on the server. This blog post will discuss the details of this vulnerability, provide example code snippets, and point to useful references.

Vulnerability Details

The root cause of the vulnerability is the misuse of the 'php-to-page' shortcode within the PHP to Page plugin on WordPress sites. The core issue is that this shortcode doesn't adequately validate or sanitize the user input, leading to a local file being included and potentially executing code on the server.

To exploit this vulnerability, an attacker would need to have subscriber-level access to the site or higher. While this may seem like a low-level access requirement, it's important to note that users with author-level access and above can easily upload files – thereby allowing for remote code execution.

The following code snippet demonstrates the exploit using the 'php-to-page' shortcode

[php-to-page file="../../wp-config.php"]

In this example, the attacker uses the 'file' parameter to include the 'wp-config.php' file, which contains sensitive configuration information related to the WordPress site.

Original References

1. The official CVE entry for the vulnerability can be found on the CVE List website, under CVE-2023-5199.

2. The WordPress Plugin Repository lists the PHP to Page plugin, including version history and download links.

Mitigation and Recommendations

1. The first and foremost recommendation is to update the PHP to Page plugin to the latest version as soon as it becomes available, as this should address the vulnerability.

2. If you cannot update the plugin or need a temporary workaround, consider disabling the plugin or restricting access to the plugin's functionality.

3. Review your user account permissions to ensure that only trusted users have the capability to add or modify content on your WordPress site.

Conclusion

In summary, CVE-2023-5199 is a critical vulnerability that allows for local file inclusion and remote code execution on WordPress sites with the PHP to Page plugin (version .3 and below) installed. To mitigate the risk, it is recommended to update the plugin to the latest version, restrict access, and closely monitor your site's logs for any suspicious activity. By following these recommendations, you can help protect your WordPress site from unwanted intrusions and keep your data secure.

Timeline

Published on: 10/30/2023 14:15:00 UTC
Last modified on: 11/13/2023 14:45:00 UTC