The All-in-One Video Gallery plugin for WordPress has become the go-to solution for many website creators when it comes to embedding responsive videos on their websites. However, a critical security vulnerability (CVE-2024-4033) has recently been discovered which impacts all versions up to and including 3.6.4. This vulnerability allows authenticated attackers with contributor access or higher to upload arbitrary files to the site's server, potentially resulting in remote code execution.

Vulnerability Details

The vulnerability stems from a lack of proper file type validation in the aiovg_create_attachment_from_external_image_url() function found in the All-in-One Video Gallery plugin. This allows attackers with contributor access or higher to upload arbitrary files, such as PHP files containing malicious code, to the website's server.

Here is a code snippet example of the vulnerable function from the plugin's source code

function aiovg_create_attachment_from_external_image_url( $image_url, $parent_post_id ) {
  $file_content = file_get_contents( $image_url );
  if ( $file_content ) {
    // Save the external image as an attachment
    $file_name = basename( $image_url );
    $upload_dir = wp_upload_bits( $file_name, null, $file_content );
    if ( ! $upload_dir['error'] ) {
      // Set the attachment parameters
      $wp_filetype = wp_check_filetype( $file_name, null );
      $attachment = array(
        'post_mime_type' => $wp_filetype['type'],
        'post_title' => addslashes( $file_name ),
        'post_content' => '',
        'post_status' => 'inherit',
      );
      // Insert and return the attachment'sado post ID
      $attachment_id = wp_insert_attachment( $attachment, $upload_dir['file'], $parent_post_id );
      return $attachment_id;
    }
  }
  
  return ;
}

As it is evident from the code above, there is no proper validation for the uploaded file type, which leads to the vulnerability.

Exploit Details

The exploit takes advantage of the vulnerable aiovg_create_attachment_from_external_image_url function. An attacker, who has access to the WordPress site as a contributor or higher, can use this exploit to upload a file containing malicious code, such as a PHP file. Once uploaded, the attacker can then execute the code remotely, potentially taking control of the site or causing damage to its content.

Mitigation and Recommendations

To prevent exploitation of this vulnerability, users of the All-in-One Video Gallery plugin are advised to update to the latest version of the plugin as soon as possible. If you are unable to update the plugin immediately, consider disabling it temporarily or restricting access to users with contributor roles or higher.

Moreover, it is essential to have a robust security solution for your website, including monitoring user activities, regularly scanning the site for vulnerabilities, and keeping WordPress and all plugins updated at all times.

Additional References

1. Official WordPress Plugin Page
2. CVE-2024-4033 at NVD

Conclusion

The arbitrary file upload vulnerability (CVE-2024-4033) in the All-in-One Video Gallery WordPress plugin is a critical security issue that can result in remote code execution if exploited. Users are urged to update their plugin to the latest version to mitigate the risk and ensure the security of their website.

Timeline

Published on: 05/02/2024 17:15:33 UTC
Last modified on: 05/28/2024 21:06:54 UTC