Advertisement






WordPress User Registration 3.0.2 Arbitrary File Upload

CVE Category Price Severity
CVE-2023-3342 CWE-434 $500 High
Author Risk Exploitation Type Date
RIPSTech High Remote 2023-07-13
CVSS
3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023070028

Below is a copy:

WordPress User Registration 3.0.2 Arbitrary File Upload
Description: User Registration <= 3.0.2  Authenticated (Subscriber+) Arbitrary File Upload 

Affected Plugin: User Registration  Custom Registration Form, Login Form And User Profile For WordPress

Plugin Slug: user-registration

Affected Versions: <= 3.0.2

CVE ID: CVE-2023-3342

CVSS Score: 9.9 (Critical)

CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Researcher/s: Lana Codes 

Fully Patched Version: 3.0.2.1

The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hardcoded encryption key and missing file type validation on the ur_upload_profile_pic function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files on the affected sites server which may make remote code execution possible. This was partially patched in version 3.0.2 and fully patched in version 3.0.2.1.

Technical Analysis

The User Registration plugin provides a versatile drag and drop registration form builder, with custom fields and unlimited customization options. It also provides a login form. After logging in, it provides users with a profile that allows various types of customization, including uploading a profile picture.

Examining the code reveals that the plugin uses two separate functions to set the profile picture. The first AJAX function uploads the profile picture to a temp folder, and the second request moves the file and sets the profile picture to the user.

The profile_pic_upload() function uses a generic image upload solution, which checks the file extension and then uploads the image to the temp folder. The interesting part is that the data from the uploaded file is encrypted within the AJAX response:

[VIEW THIS CODE SNIPPET ON THE BLOG] 

JSON response after the file upload in the profile_pic_upload() function

The encrypted upload_files data in the response is something like this:

upload_files-response 

Encryption is used due to the way the plugin handles uploads because the encrypted data is decrypted and used to determine the filename and filepath where the file is saved for the user. However, for data to be encrypted and decrypted, an encryption key is required. As a general rule, encryption keys should be confidential and unique to each website.

[VIEW THIS CODE SNIPPET ON THE BLOG] 

We unfortunately found that the encryption key is hardcoded in vulnerable versions of the plugin in the crypt_the_string() function, which means that threat actors also had access to the key which was not unique per WordPress installation. This makes it possible for attackers to craft an uploaded files data array payload that can be used to modify the filename, path, and extension when saving the profile picture.

The plugin calls the function ur_upload_profile_pic() when saving the profile, which contains the following code:

[VIEW THIS CODE SNIPPET ON THE BLOG] 

Rename and move the file in ur_upload_profile_pic() function

The function decrypts the encrypted file data, which is specified in the save request. Based on this data, the file in the temp folder is moved and renamed using the rename() php function. Unfortunately, however, there is no file type check before it, which means that the image file can be renamed to a file with any type of extension, such as .php, .phtml, .html, and more.

Exploit Possibilities

Exploiting the vulnerability requires multiple complex steps, as two separate functions and requests must be used to upload and move the file:

- Register a user
- Log in as the user (since it is only possible to upload a profile picture for the user)
- Upload the malicious exploit.png image file
- Retrieve the encrypted file data from the response
- Decrypt the file data
- Modify the file extension to php in the file name
- Encrypt the file data
- Save the profile with the encrypted and modified file data

Since it is only possible to upload an image file during the upload process, because its extension is checked, the initial step involves uploading a file named, for example, exploit.png as a profile picture with the following request:

user_registration_profile_pic_upload-http-request 

In this scenario, the attacker uploads an exploit.png file, which is actually a PHP script, but with a .png extension:

[VIEW THIS CODE SNIPPET ON THE BLOG] 

The response will be a json payload containing the encrypted result returned from the profile_pic_upload() function. The upload_files parameter needs to be decrypted using the hardcoded key, which will return a serialized array, similar to this:

upload_files-array 

The attacker would then change the file name from exploit.png to exploit.php and re-encrypt the array. The newly encrypted result can then be used when saving the profile in the next request:

save_profile_details-http-request 

The exploit renames the image file to php and moves it to the profile pictures folder.

The complete exploit process looks like this:

user-registration-howto-wordfence 

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

user-registration-howto-wordfence-firewall 

Disclosure Timeline

June 19, 2023  Discovery of the Arbitrary File Upload vulnerability in User Registration.

June 19, 2023  We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.

June 19, 2023  The vendor confirms the inbox for handling the discussion.

June 19, 2023  We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.

June 20, 2023  Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.

June 29, 2023  A partial patch is released in version 3.0.2.

July 4, 2023  A fully patched version of the plugin, 3.0.2.1, is released.

July 20, 2023  Wordfence Free users receive the same protection.

Conclusion

In this blog post, we detailed an Arbitrary File Upload vulnerability within the User Registration plugin affecting versions 3.0.2 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to upload arbitrary files, including PHP backdoors, and execute those files on the server. The vulnerability has been fully addressed in version 3.0.2.1 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of User Registration.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 20, 2023. Sites still using the free version of Wordfence will receive the same protection on July 20, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.