Unpacking CVE-2023-6846: The File Manager Pro WordPress Plugin Vulnerability

In the rapidly evolving world of cyber threats, vulnerabilities in widely used software can pose significant risks.

One such vulnerability, identified as CVE-2023-6846, has recently surfaced, affecting the File Manager Pro plugin for WordPress.

This popular plugin, which aids in the management of files within the WordPress ecosystem, has been found to have a critical flaw that could potentially compromise the security of numerous websites.

The CVE-2023-6846 vulnerability is a glaring example of how seemingly innocuous features, like a syntax checker, can be manipulated to create a window of opportunity for attackers.

In this blog post, we will delve into the specifics of this vulnerability, exploring its potential risks, the technical details surrounding it, and the countermeasures that have been introduced to mitigate the threat it poses.

Critical Security Flaw Detected in WordPress File Manager Pro Plugin

A critical vulnerability has been discovered in the File Manager Pro Plugin for WordPress, a popular content management system.

This flaw, labeled as CVE-2023-6846, affects versions up to 8.3.4 and compromises an undefined aspect of the plugin.

This significant security gap allows for unrestricted file uploads due to the manipulation of an unidentified input.

The vulnerability has been assigned the identification number CVE-2023-6846 and earned a CVSS score of 8.8, indicating a high severity level.

Details of the Arbitrary File Upload Vulnerability

The vulnerability lies within the ‘mk_check_filemanager_php_syntax‘ AJAX function of the File Manager Pro plugin.

This flaw enables attackers, who have obtained at least subscriber-level access, to upload files arbitrarily and execute code on the server.

The Risks of Unrestricted Upload Vulnerability

Categorized under CWE-434, this vulnerability exposes the system to dangerous file types.

An attacker can exploit this flaw to upload or transfer harmful files that can be automatically processed within the plugin’s environment.

This security loophole puts confidentiality, integrity, and availability at high risk.

Deep Dive into the Technical Analysis of File Manager Pro Plugin Vulnerability

The File Manager Pro plugin, a premium WordPress tool, boasts a variety of advanced features and functionalities.

One such feature is the syntax checker, designed to review code for errors before saving files.

Unpacking the Syntax Checker Functionality

A closer look at the plugin’s code exposes its reliance on the mk_check_filemanager_php_syntax_callback() function.

This function is responsible for checking the PHP syntax using AJAX. It creates a temporary file, inserts the PHP code into it, and then conducts a syntax check.

This process is secure since the code cannot be executed during this phase.

add_action('wp_ajax_mk_check_filemanager_php_syntax', array(&$this, 'mk_check_filemanager_php_syntax_callback'));
 
/* Check php Syntax Errors */
public function mk_check_filemanager_php_syntax_callback()
{
    $filename = isset($_POST['filename']) ? sanitize_file_name($_POST['filename']) : '';
    $fileMime = isset($_POST['filemime']) ? sanitize_mime_type($_POST['filemime']) : '';
    $code = stripslashes($_POST['code']);
    if (is_user_logged_in() && $fileMime == 'text/x-php') {
        $current_user = wp_get_current_user();
        $upload_dir = wp_upload_dir();
        if (isset($current_user->user_login) && !empty($upload_dir['basedir'])) {
            $fm_temp = $upload_dir['basedir'].'/fm_temp.php';
            $handle = fopen($fm_temp, 'w');
            fwrite($handle, $code);
            $check = shell_exec('php -d display_errors=1 -l '.$fm_temp);
 
            if(empty($check)){
                echo '<p>('.__('Unable to execute php syntax checker due to server permissions.', 'wp-file-manager-pro').')</p>';
            } elseif(strpos($check, 'No syntax errors') === false) {
                $check = str_replace('on line', 'on line number', $check);
                echo str_replace($fm_temp, '<strong>'.$filename.'</strong>', $check);
                echo '<p>('.__('File', 'wp-file-manager-pro').' <strong>'.$filename.'</strong> '.__('not saved.', 'wp-file-manager-pro').')</p>';
            } else {
                echo '1';
            }
        }
    } else {
        echo '1';
    }
    die;
}

The Temporary File: A Window of Opportunity for Attackers

However, the temporary file isn’t immediately deleted after the syntax check.

The remove_fm_temp_file() function, which is tasked with deleting the temporary file, only gets triggered when the admin page is reloaded.

This delay creates a window of opportunity where the test file remains on the server before being deleted, making it accessible to potential threat actors.

add_action('admin_init', array(&$this, 'remove_fm_temp_file'));
 
/* Remove Fm Temp File */
public function remove_fm_temp_file()
{
    $upload_dir = wp_upload_dir();
    $fm_temp = $upload_dir['basedir'].'/fm_temp.php';
    if (file_exists($fm_temp)) {
        unlink($fm_temp);
    }
}

The Vulnerability: No Capability Checks and Delayed File Deletion

In the affected versions of the plugin, no capability checks were used.

The only security measure in place was a verification check to confirm that the user was logged into WordPress.

Coupled with the delayed deletion of the temporary file, this means any logged-in user, even a subscriber, can add any PHP code to the temporary file and access it later.

The Potential Exploit Process

This loophole allows attackers to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.

The exploit process would typically involve a WordPress user (threat actor) submitting a POST request with exploit PHP code via /POST /wp-admin/admin-ajax.php?action=mk_check_filemanager_php_syntax.

The exploit code includes:

<?php
echo 'md5("exploit"): ' . md5( 'exploit' );

The threat actor then sends a GET request to /wp-content/uploads/fm_temp.php, triggering the execution of the malicious code on the server.

The response from fm_temp.php includes:

md5("exploit"): thehashvalue

Research and Scoring of the Vulnerability

Tobias Weißhaar, a cybersecurity researcher, discovered this flaw. The vulnerability was rated using the CVSS v3.1 metrics, resulting in a score of 8.8.

The CVSS vector string for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that it can be exploited over the network (AV:N), has a low attack complexity (AC:L), requires a low level of privileges (PR:L), doesn’t need user interaction (UI:N), has unchanged scope (S:U), and can have a high impact on confidentiality (C:H), integrity (I:H), and availability (A:H).

Disclosure and Identification of the Vulnerability

The vulnerability was publicly disclosed on January 24, 2024, and has been uniquely identified as CVE-2023-6846 since December 15, 2023.

However, the precise technical details surrounding this vulnerability remain undisclosed, and no public exploit is currently available.

Potential Exploit Pricing and Attack Technique

As of January 24, 2024, the estimated cost of an exploit ranges from $0 to $5,000.

In terms of attack methodology, this issue employs the T1608.002 technique, according to the MITRE ATT&CK classification.

Patched Version and Countermeasures

In response to this threat, version 8.3.5 of the File Manager Pro plugin introduces a new capability check.

This security measure prevents non-admin users from executing the vulnerable function, thus mitigating the risk posed by the Arbitrary File Upload vulnerability.

Conclusion

The CVE-2023-6846 vulnerability in the File Manager Pro plugin underscores the importance of robust security measures in any online platform.

While the discovery of such flaws can be disconcerting, it also presents an opportunity for developers and users alike to fortify their defenses and enhance the overall security of their digital spaces.

It’s crucial for users to stay updated on these vulnerabilities and ensure they’re using the patched versions of their plugins.

The cybersecurity landscape is a battlefield where vigilance and proactivity are key.

As we continue to rely heavily on digital platforms, understanding and addressing vulnerabilities like CVE-2023-6846 becomes beneficial and essential.