A new vulnerability has been discovered in WordPress Core that affects versions up to, and including, 6.2. This vulnerability, assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-2745, allows unauthenticated attackers to exploit directory traversal via the 'wp_lang' parameter. With this exploit, attackers can gain access to and load arbitrary translation files, potentially leading to a Cross-Site Scripting (XSS) attack if they are able to upload a crafted translation file onto the targeted site.
In this post, we will dive into the details of this vulnerability, discuss how it can be exploited, and provide code snippets and links to original references. The aim is to help you understand the severity and potential impact of this vulnerability, learn how to detect it, and most importantly, learn how to mitigate it
Exploit Details
The vulnerability exists in the load_translations_early() function in the WordPress Core. This function is intended to load translation files for use in the web application. However, the 'wp_lang' parameter is not properly sanitized, allowing an attacker to inject arbitrary file paths and access translation files outside the intended directory.
The following code snippet demonstrates the vulnerability in the load_translations_early() function
function load_translations_early( $domain = 'default' ) {
$locale = get_locale();
$path = constant( 'WP_LANG_DIR' );
load_textdomain( $domain, "{$path}/{$locale}.mo" );
// Check for the wp_lang parameter.
if ( isset( $_GET['wp_lang'] ) ) {
$locale = sanitize_text_field( $_GET['wp_lang'] ); // Unsufficient sanitization
if ( false !== strpos( $locale, '/' ) || false !== strpos( $locale, '\\' ) ) {
return;
}
load_textdomain( $domain, "{$path}/{$locale}.mo" );
}
}
As seen above, the 'wp_lang' parameter is sanitized using the sanitize_text_field() function. However, this function only removes line breaks, tabs, and octets – it does not perform adequate input validation or remove file path characters such as '.' or '..', leaving the application vulnerable to directory traversal.
Relevant Links
- WordPress Core Issue #53692
- CVE-2023-2745 Details on NVD
Potential Exploit Scenario
An unauthenticated attacker could send a crafted HTTP request with the 'wp_lang' parameter set to include directory traversal sequences, such as '../../', aiming to access sensitive data or translation files outside the intended directory. If the attacker is also able to upload a malicious translation file containing JavaScript code, they could execute an XSS attack when the crafted translation file is loaded by an administrator or user visiting the affected site.
Mitigation Steps
To mitigate this vulnerability, site administrators should update their WordPress Core installation to version 6.3 or higher, which includes a fix for this issue. Additionally, it is essential to regularly check for and install security updates, use secure coding practices, and implement input validation for all user-controlled parameters.
Conclusion
CVE-2023-2745 is a critical vulnerability in the WordPress Core that allows unauthenticated attackers to exploit directory traversal via the 'wp_lang' parameter. By understanding the details of this vulnerability and implementing the necessary security measures and updates, you can protect your WordPress site from potential attacks. Stay informed and stay secure!
Timeline
Published on: 05/17/2023 09:15:00 UTC
Last modified on: 05/26/2023 02:20:00 UTC