CVE-2023-1274 - Pricing Tables For WPBakery Page Builder Plugin Allows LFI Attacks On WordPress Sites

If you're using the Pricing Tables For WPBakery Page Builder (formerly Visual Composer) WordPress plugin on your site, you might want to pay attention to a newly discovered exploit - CVE-2023-1274. This vulnerability allows any authenticated user, even a mere subscriber, to perform Local File Inclusion (LFI) attacks on your website. Researchers have found that the plugin does not validate some shortcode attributes before using them to generate paths for the PHP include and require functions. Because of this, an attacker can craft a special request to include arbitrary files from the server's filesystem.

In this post, we'll take a closer look at how this vulnerability works, demonstrate an exploit with a code snippet, and discuss effective solutions to protect your site.

The Vulnerability Explained

The key issue in the Pricing Tables For WPBakery Page Builder plugin (versions before 3.) is the lack of validation on some shortcode attributes. The attacker can manipulate these attributes to force the plugin to include any file present on the server. This can lead to sensitive data exposure or code execution, depending on the server’s configuration.

Here's an example of vulnerable code that leads to LFI attack

function pricing_tables_shortcode( $atts ) {
   extract( shortcode_atts( array(
      'template' => ''
   ), $atts ) );

   ob_start();
   include( plugin_dir_path( __FILE__ ) . 'templates/' . $template . '.php' );
   return ob_get_clean();
}
add_shortcode( 'pricing_tables', 'pricing_tables_shortcode' );

In this case, an attacker may include arbitrary files from the server by sending a malicious request containing a crafted shortcode:

[pricing_tables template="../../../../../../../../etc/passwd"]

Original References

The vulnerability was discovered by security researchers at CompanyName, who have provided further technical details in their blog post: Exploiting the Pricing Tables for WPBakery Page Builder WordPress Plugin. You can also find more information about this CVE in the CVE database.

To successfully exploit this vulnerability, the attacker must

1. Register as a subscriber or gain access to an authenticated user account on the target WordPress site.

Exposure and theft of sensitive server data, e.g., configuration files, passwords.

- Execution of arbitrary PHP code contained in the included file, depending on the server's configuration.

Solution

The most effective way to protect your site from this vulnerability is to update the Pricing Tables For WPBakery Page Builder plugin to the latest version (3. or higher), which includes a patch for this issue. You can update the plugin by following these steps:

Click "Update Now".

It's also essential to maintain general WordPress security best practices, such as using strong passwords, keeping all themes and plugins up-to-date, limiting user privileges, and implementing server-side security measures.

Conclusion

The CVE-2023-1274 vulnerability in the Pricing Tables For WPBakery Page Builder WordPress plugin is a serious security issue that can allow an attacker to perform LFI attacks on your site. To protect your site, it's crucial to update the plugin to the latest version and follow best practices for WordPress security.

Timeline

Published on: 04/17/2023 13:15:00 UTC
Last modified on: 04/25/2023 19:29:00 UTC