The News & Blog Designer Pack (BDP) - a widely-used WordPress Blog Plugin has been found to have a critical security vulnerability (CVE-2023-5815) which allows for Remote Code Execution (RCE) via Local File Inclusion (LFI). This affects all versions up to, and including 3.4.1. It is a major issue as unauthenticated attackers can exploit this to include arbitrary PHP files and achieve RCE, potentially causing severe damage to the WordPress website and gaining unauthorized access.
In this post, we will be going over the details of this vulnerability, provide a code snippet highlighting the weakness, reference links to related issues, and discuss how this can be exploited in vulnerable systems.
Code Snippet
The vulnerability lies within the bdp_get_more_post function, which is called via the WordPress AJAX system as a nopriv (non-privileged) function. Here is the key aspect of the function:
function bdp_get_more_post() {
// Check the nonce
check_ajax_referer( 'bdp-public-nonce', 'nonce' );
// The extract function is used without validation
extract( $_POST );
// ...
// The input is directly passed to include()
include( $path-setup['php'] );
wp_die();
}
Notice that the extract() method is used to extract values from the POST variable without any validation or sanitization. The resulting variables are then passed directly into the include() function, which allows for the LFI vulnerability.
Exploit Details
In order to successfully exploit this vulnerability, an attacker would need to send specifically crafted data to the vulnerable server via a HTTP POST request. The request is made to the Ajax URL with the action set to bdp_get_more_post, and by injecting a malicious PHP payload into the path parameter, an attacker can achieve remote code execution.
Here is an example of a cURL request to exploit the vulnerability
curl -X POST "<target-url>/wp-admin/admin-ajax.php" \
--data "action=bdp_get_more_post&path=<malicious-php-payload>"
Once executed, the attacker can include the malicious payload in the server and gain unrestricted access.
Affected Docker Configurations
In Docker-based WordPress environments with vulnerable configurations, an attacker can leverage this vulnerability to create a PHP file within the Docker container. Subsequently, the attacker can exploit the LFI vulnerability to include the malicious PHP file and achieve RCE.
References
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5815
- News & Blog Designer Pack Plugin: https://wordpress.org/plugins/blog-designer-pack/
- Original Public Disclosure: https://example.com/research/security-bulletins/wp-vuln-disclosure.pdf
Conclusion
If you are using the News & Blog Designer Pack plugin for WordPress, it is crucial to update your plugin to version 3.4.2 immediately to mitigate this dangerous security vulnerability. Additionally, consider conducting regular security audits of your WordPress installations to identify any potential vulnerabilities in your plugins and configurations. Stay vigilant, and keep your website secure!
Timeline
Published on: 11/22/2023 16:15:14 UTC
Last modified on: 11/29/2023 19:15:40 UTC