WordPress plugins make it easy to add complex functions to your website, but security issues in those plugins can put your site and your data at risk. One such example is CVE-2023-45652, a serious vulnerability in the Remote Content Shortcode plugin by Justin Silver. This flaw lets attackers read sensitive files by abusing the way the plugin handles paths.
In this post, we’ll break down what CVE-2023-45652 is, how the attack works, show you simple proof-of-concept code, and share ways to stay safe.
What Is Remote Content Shortcode?
The Remote Content Shortcode (WordPress.org page) lets you embed remote or local content directly into WordPress posts and pages using simple shortcodes. Many users rely on this plugin for easy content integration, but—prior to version 1.5—there was a critical security oversight.
Affected Versions: All up to and including 1.5
- Exploit Type: Path Traversal / Local File Inclusion (LFI)
Description
CVE-2023-45652 is caused by improper validation of pathname input in the plugin’s shortcode. This means an attacker can supply directory traversal characters like ../ to read arbitrary files from the server—including sensitive configuration and credential files.
The vulnerability exists because the plugin does not properly restrict file paths to a safe directory. In effect, anyone who can embed a shortcode can try to include any file from the server.
How Does the Exploit Work?
WordPress shortcodes can be used by editors and writers on sites, so not every attack vector is “remote unauthenticated.” However, on many misconfigured or open sites, this bug can be exploited by guest writers, contributors, or even through cross-site scripting (XSS) if it’s possible to inject shortcodes somewhere.
Let’s look at a real-world case. The vulnerable shortcode looks like this
// Example usage in a WordPress post (vulnerable)
[remote_content url="/etc/passwd"]
The plugin’s PHP code might process this as
$file = $_GET['url']; // Or comes directly from shortcode param
$content = file_get_contents($file); // No validation!
echo $content;
There are no checks to make sure the file is within a safe folder—so ../../../../wp-config.php or even /etc/passwd can be included and read in the browser.
Anyone who can create a post or page can attempt
[remote_content url="../../../../wp-config.php"]
or even *(on some systems)*
[remote_content url="/etc/passwd"]
If your server user account running WordPress is permitted to read those files, the content will be outputted directly in the page.
Alternatively, sending a crafted HTTP GET request if the plugin uses a GET parameter
GET /?remote_content=../../../../wp-config.php
*(The actual parameter name and location may vary, but this is the general idea.)*
Any file readable by the web server.
Once an attacker has database credentials or configuration, they may be able to go further, escalating their attack.
Original References
- WordPress Plugin Directory: Remote Content Shortcode
- NIST NVD CVE-2023-45652 *(link may be pending full details)*
- Justin Silver’s Plugin Page
How To Fix and Protect Your Site
1. Update Immediately:
The developer fixed this bug in versions after 1.5. Upgrade to the latest release ASAP.
2. Restrict Shortcode Use:
Only assign roles you trust the ability to use shortcodes and create posts/pages.
3. Harden File Permissions:
Set your server so that the WordPress user account cannot read sensitive system files outside the web root.
4. Disable if Not Needed:
If you aren’t using this plugin, disable and remove it.
5. Web Application Firewall:
A WAF (like Wordfence) may help block attempted traversals, but prevention through patching is best.
Responsible Disclosure
This bug was responsibly reported and patched. If you depend on open source WordPress plugins, remember to:
Summary
CVE-2023-45652 is a critical path traversal and local file inclusion vulnerability affecting the Remote Content Shortcode plugin up to version 1.5. Malicious actors can exploit this by crafting shortcodes or HTTP requests to read any file the web server user can access.
Update now to keep your WordPress site secure. For more info, consult the plugin’s changelog and the official CVE record.
Stay safe—patch your plugins!
*This article is an exclusive long-read post created to help everyday WordPress users and sysadmins understand and deal with CVE-2023-45652. All code samples and analysis by the author. Please cite this post if sharing excerpts elsewhere.*
Timeline
Published on: 05/17/2024 09:15:08 UTC
Last modified on: 06/04/2024 17:19:59 UTC