CVE CyberSecurity Database News

CVE-2023-47178 - Path Traversal and PHP Local File Inclusion in The Plus Addons for Elementor Pro

Poster -

Date: June 2024
Severity: High (CVSS ~8.8)
Affected Plugin: The Plus Addons for Elementor Pro
Affected Versions: All versions up to and including 5.2.8
Type: Path Traversal / Local File Inclusion (LFI)
Reference: Patchstack Writeup

Introduction

A high-risk vulnerability, CVE-2023-47178, was discovered in the popular WordPress plugin "The Plus Addons for Elementor Pro." This bug allows attackers to include and execute arbitrary PHP files from the server via a *Local File Inclusion* (LFI) vulnerability, which is caused by improper handling of user-supplied file paths. Attackers can exploit this to read sensitive files or, in some cases, achieve remote code execution (RCE).

What is Path Traversal and Local File Inclusion?

- Path Traversal: A flaw that allows a user to access directories and files stored outside a restricted folder by manipulating file path input.
- Local File Inclusion (LFI): An attack that abuses file include functionality to load files from the server, which can reveal secrets or grant code execution if the file is a script.

How Did This Vulnerability Happen?

In "The Plus Addons for Elementor Pro," one or more endpoints allow users to specify a file name or path. The plugin fails to properly sanitize or restrict this input. As a result, an attacker can use path traversal tricks like ../../../../../etc/passwd to traverse out of the intended directory or include local PHP files which then are executed on the server.

Suppose the plugin has a function similar to this (note: pseudo-code for explanation)

// Get user input from HTTP request parameter
$file = $_GET['file'];

// Intended to load a template or resource
include(PLUGIN_PATH . '/templates/' . $file);

What's wrong here?
- No check is made for ../ path traversal.
- No sanitization is enforced, allowing attackers to set file=../../../../../wp-config.php or any PHP file.

Find a vulnerable endpoint that takes a filename or path as an input

https://victim.com/wp-admin/admin-ajax.php?action=tp_safe_include&file=something.php

Modify the file parameter using path traversal

https://victim.com/wp-admin/admin-ajax.php?action=tp_safe_include&file=../../../../wp-config.php

If the plugin does not block this, it loads and processes the contents of wp-config.php—which contains database keys and credentials—leaking sensitive data. If you can get it to process a file containing your own PHP code (uploaded elsewhere), you may even gain remote code execution.

Example LFI Payload

file=../../../../../../etc/passwd

If successful, an attacker can read any file the web server process user can access.

Real-World Impact

- Information Disclosure: Read sensitive files, e.g., wp-config.php for WordPress database credentials.
- PHP Code Execution: If an attacker can upload a file with PHP code (e.g., via image uploads in another vulnerable plugin), they could include and execute it.
- Site Takeover: Compromise the affected WordPress site, deface it, or use it in attacks against visitors.

Mitigation & Fix

The Plus Addons for Elementor Pro fixed this issue after version 5.2.8. Update your plugin immediately to the latest version.

References and Further Reading

- Patchstack Security Advisory
- NVD Entry (CVE-2023-47178)
- OWASP Path Traversal FAQ

Conclusion

CVE-2023-47178 shows the ongoing importance of proper input validation and secure coding practices in WordPress plugin development. If you're running The Plus Addons for Elementor Pro, patch now. Website owners should regularly update their plugins and keep an eye on security advisories for all their WordPress components.

For those interested in learning more about Local File Inclusion and how to defend your WordPress site, check out the above links for technical breakdowns.

Timeline

Published on: 05/17/2024 09:15:10 UTC
Last modified on: 06/06/2024 12:44:48 UTC