CVE-2023-47846 - Unrestricted Upload of File with Dangerous Type vulnerability in Terry Lin WP Githuber MD (Versions n/a - 1.16.2)

A new vulnerability, identified as CVE-2023-47846, has been discovered in the popular WordPress plugin, Terry Lin WP Githuber MD. This vulnerability affects versions n/a through 1.16.2 and could potentially allow an attacker to upload files with dangerous types, leading to various security threats such as arbitrary code execution or remote control of the affected website.

WP Githuber MD is a popular Markdown editor for WordPress with more than 10,000 active installations. This plugin offers multiple features to improve the editing experience on WordPress websites, including support for Github Flavored Markdown, live preview, spell check, and MathJax.

Exploit Details

The vulnerability in WP Githuber MD allows an attacker to bypass the file type restrictions during file uploads. This is especially dangerous as it could enable the attacker to upload malicious files, such as PHP scripts, that can be executed on the server, potentially resulting in complete control of the affected website.

This issue arises due to improper validation while uploading image files through the plugin's custom Markdown editor. By default, only specific image formats are allowed to be uploaded. However, a lack of proper validation allows the attacker to upload files with dangerous extensions, such as ".php".

To exploit this vulnerability, an attacker can create a specially crafted file with both a valid image extension and a dangerous extension (e.g., "malicious-file.jpg.php"). When uploaded through the Markdown editor, the file bypasses the format check and gets stored on the server.

The following code snippet demonstrates how the upload process could be exploited by an attacker

<form action="PATH_TO_WP_Githuber_MD_IMAGE_UPLOAD_ENDPOINT" method="post" enctype="multipart/form-data">
    <input type="hidden" name="MAX_FILE_SIZE" value="100000">
    <input type="file" name="image" accept="image/*,.jpg,.png,.gif,.bmp">
    <input type="submit" value="Upload">
</form>

Upon successful upload, the attacker can then visit the malicious file's URL, leading to arbitrary code execution.

Original References

- CVE Details - CVE-2023-47846
- Terry Lin WP Githuber MD - WordPress Plugin Directory

Mitigation

Users of the Terry Lin WP Githuber MD plugin are highly advised to update their installations to version 1.16.3 or later as soon as possible to address this vulnerability. The developers of the plugin have promptly addressed the issue by fixing the file upload validation process. The latest version properly checks the file extension before allowing the upload, preventing the execution of potentially malicious files.

In addition to updating the plugin, website administrators can also implement further security measures, such as:

Conclusion

In conclusion, CVE-2023-47846 is a severe vulnerability impacting Terry Lin WP Githuber MD versions n/a through 1.16.2. The unrestricted upload of files with dangerous types could lead to significant security risks, including arbitrary code execution and site control. It is crucial for WordPress website administrators to be aware of this vulnerability and swiftly apply the necessary updates to mitigate potential threats.

Timeline

Published on: 03/26/2024 21:15:51 UTC
Last modified on: 03/27/2024 12:29:30 UTC