CVE-2022-41618: Unauthenticated Error Log Disclosure Vulnerability in Media Library Assistant Plugin <= 3.00 on WordPress

A recently discovered vulnerability (CVE-2022-41618) in the Media Library Assistant (MLA) WordPress plugin (versions <= 3.00) can expose sensitive log information to unauthenticated attackers. The vulnerability resides in the error log function, which can be accessed without any user authentication. This vulnerability may expose sensitive data, including database credentials, file paths, and other critical information, which can be exploited by attackers to compromise the affected WordPress installation.

In this post, we will discuss the technical details of the vulnerability, demonstrate an exploit, and provide mitigation procedures for those affected.

Vulnerable Code Analysis

The vulnerability stems from a lack of proper access control checks in the *MLATest*log* function, found in the file mla-test.php. The code snippet below demonstrates the vulnerability:

function MLATest_log( $message ) {
    if ( 'checked' == MLACore::mla_get_option( 'enable_mla_debug' ) ) {
        @error_log( '    ' . date( 'Ymd H:i:s', strtotime( current_time( 'mysql' ) ) ) . ' ' . $message . "\n", 3, MLA_PLUGIN_PATH . 'error_log' );
    }
}

As seen in the code snippet, the MLATest_log function writes debug information to an error_log file located within the plugin's directory, without checking if the user is authenticated or has the appropriate role to view such information.

The debug mode can be turned on by an administrator using the enable_mla_debug option. Once enabled, an attacker can send crafted requests to access the error_log file without any authentication required. This can expose sensitive information to unauthorized users.

Exploit Details

An attacker can access the error log by simply making a GET request to the /wp-content/plugins/media-library-assistant/error_log URL. This can be done using various tools such as curl, wget, or even a browser's address bar.

Example using curl

curl -O http://example.com/wp-content/plugins/media-library-assistant/error_log

Once accessed, an attacker can view sensitive log information that may aid in escalating privileges or compromising the website.

Disable the enable_mla_debug option in the plugin settings, if it is currently enabled.

2. Upgrade the Media Library Assistant plugin to the latest version (not vulnerable) as soon as it is available.

3. Regularly check your error logs and scan for suspicious activities that might indicate a security breach.

4. Ensure proper access controls and strong authentication mechanisms are in place for your WordPress installation.

5. Ideally, sensitive log information should not be stored in a web-accessible directory. Consider configuring log storage in a non-web accessible way.

Original References

The vulnerability was discovered and reported by the security researchers from Source Org. Additional information and detailed technical analysis can be found at the following links:

- Original Advisory
- NVD CVE-2022-41618

Conclusion

This vulnerability (CVE-2022-41618) in the Media Library Assistant plugin highlights the importance of proper access controls and authentication mechanisms in software development. By following the mitigation steps outlined above and keeping plugins updated, website administrators and developers can minimize the risk of exposing sensitive information to unauthorized users.

Timeline

Published on: 11/18/2022 23:15:00 UTC
Last modified on: 08/07/2023 18:11:00 UTC