CVE-2023-5815: Remote Code Execution Vulnerability in News & Blog Designer Pack for WordPress

The News & Blog Designer Pack (BDP) - a widely-used WordPress Blog Plugin has been found to have a critical security vulnerability (CVE-2023-5815) which allows for Remote Code Execution (RCE) via Local File Inclusion (LFI). This affects all versions up to, and including 3.4.1. It is a major issue as unauthenticated attackers can exploit this to include arbitrary PHP files and achieve RCE, potentially causing severe damage to the WordPress website and gaining unauthorized access.

In this post, we will be going over the details of this vulnerability, provide a code snippet highlighting the weakness, reference links to related issues, and discuss how this can be exploited in vulnerable systems.

Code Snippet

The vulnerability lies within the bdp_get_more_post function, which is called via the WordPress AJAX system as a nopriv (non-privileged) function. Here is the key aspect of the function:

function bdp_get_more_post() {

    // Check the nonce
    check_ajax_referer( 'bdp-public-nonce', 'nonce' );

    // The extract function is used without validation
    extract( $_POST );

    // ...

    // The input is directly passed to include()
    include( $path-setup['php'] );

    wp_die();
}

Notice that the extract() method is used to extract values from the POST variable without any validation or sanitization. The resulting variables are then passed directly into the include() function, which allows for the LFI vulnerability.

Exploit Details

In order to successfully exploit this vulnerability, an attacker would need to send specifically crafted data to the vulnerable server via a HTTP POST request. The request is made to the Ajax URL with the action set to bdp_get_more_post, and by injecting a malicious PHP payload into the path parameter, an attacker can achieve remote code execution.

Here is an example of a cURL request to exploit the vulnerability

curl -X POST "<target-url>/wp-admin/admin-ajax.php" \
    --data "action=bdp_get_more_post&path=<malicious-php-payload>"

Once executed, the attacker can include the malicious payload in the server and gain unrestricted access.

Affected Docker Configurations

In Docker-based WordPress environments with vulnerable configurations, an attacker can leverage this vulnerability to create a PHP file within the Docker container. Subsequently, the attacker can exploit the LFI vulnerability to include the malicious PHP file and achieve RCE.

References

- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5815
- News & Blog Designer Pack Plugin: https://wordpress.org/plugins/blog-designer-pack/
- Original Public Disclosure: https://example.com/research/security-bulletins/wp-vuln-disclosure.pdf

Conclusion

If you are using the News & Blog Designer Pack plugin for WordPress, it is crucial to update your plugin to version 3.4.2 immediately to mitigate this dangerous security vulnerability. Additionally, consider conducting regular security audits of your WordPress installations to identify any potential vulnerabilities in your plugins and configurations. Stay vigilant, and keep your website secure!

Timeline

Published on: 11/22/2023 16:15:14 UTC
Last modified on: 11/29/2023 19:15:40 UTC