WordPress Plugin Vulnerabilities

Hummingbird < 3.4.2 - Unauthenticated Path Traversal

Description

The plugin does not validate the generated file path for page cache files before writing them, leading to a path traversal vulnerability in the page cache module.

This allows an attacker to:
- Enumerate file system directories where the user who starts the web server process has write access.
- Crash the server by generating an endless number of unique queries, which will be saved outside wphb-cache, thus preventing the purge cache functionality from removing cached files from the server file system.
- Disable some web application functionalities (like breaking the redirections) because the plugin creates empty index.html in the directory where it saves the cache file.
- Write cache files, including `index.html` to the web application directories on the same server, which may significantly affect availability.

Proof of Concept

Affects Plugins

Plugin icon
hummingbird-performance
Fixed in 3.4.2

References

CVE
CVE-2023-1478

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
8.2 (high)

Miscellaneous

Original Researcher
Karol Mazurek (AFINE)
Submitter
Karol Mazurek (AFINE)
Submitter website
https://karol-mazurek95.medium.com/
Submitter twitter
karmaz95
Verified
Yes
WPVDB ID
512a9ba4-01c0-4614-a991-efdc7fe51abe

Timeline

Publicly Published
2023-03-20 (about 2 years ago)
Added
2023-03-20 (about 2 years ago)
Last Updated
2023-03-20 (about 2 years ago)

Other

Published
Title
Published
2017-09-29
Title
Insert Pages < 3.2.4 - Directory Traversal
Published
2023-05-15
Title
MW WP Form < 4.4.3 - Unauthenticated Path Traversal
Published
2022-10-14
Title
WP All Import < 3.6.9 - Admin+ Directory traversal via file upload
Published
2021-08-23
Title
OMGF < 4.5.4 - Unauthenticated Path Traversal in REST API
Published
2024-04-04
Title
ARMember < 4.0.28 - Directory Traversal via X-FILENAME