WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Custom Content Shortcode <= 4.0.2 - Contributor+ LFI

Description

The plugin does not validate one of its shortcode attribute, which could allow users with a contributor role and above to include arbitrary files via a traversal attack. This could also allow them to read non PHP files and retrieve their content. RCE could also be achieved if the attacker manage to upload a malicious image containing PHP code, and then include it via the affected attribute, on a default WP install, authors could easily achieve that given that they have the upload_file capability.

Proof of Concept

As a contributor, put the shortcode below in a post and preview it

[comment template="/../../../license.txt"]

Assuming the blog is at /var/www/wordpress/, /etc/passwd can be accessed with

[comment template="/../../../../../../etc/passwd"]

If the attacker can upload any file, such as an image containing PHP code in the comment, RCE could be achieved, example (by default, author and above can upload files):

[comment template="/../../../wp-content/uploads/2023/01/malicious.jpg"] 

Affects Plugins

custom-content-shortcode
No known fix

References

CVE
CVE-2023-0340

Classification

Type

LFI

OWASP top 10
A1: Injection
CWE
CWE-22

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID
71956598-90aa-4557-947a-c4716674543d

Timeline

Publicly Published

2023-02-22 (about 2 months ago)

Added

2023-02-22 (about 2 months ago)

Last Updated

2023-02-22 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us