Description
A critical vulnerability has been identified in the XML parser component of the WordPress Revy plugin. This vulnerability allows for the unrestricted upload of files with dangerous types, specifically enabling the upload of a web shell to a web server.
Affected Product(s)
- WordPress Revy plugin, versions up to 1.18
Technical Details
The WordPress Revy plugin (Revy, version 1.18 or earlier) is susceptible to a critical vulnerability labeled CVE-2024-54214, which has been assigned a CVSS score of 10.0, marking it as critically severe.
This vulnerability stems from a lack of restrictions on file uploads, particularly those that can contain dangerous types such as web shells. Web shells are malicious scripts that can be uploaded to a web server to enable remote control and execution of arbitrary commands. They are a favorite tool among hackers because of their ease of deployment and the powerful control they provide over compromised systems.
Internally, the Revy plugin fails to properly validate and sanitize file uploads, which allows attackers to bypass security measures that usually prevent the upload of executable files. The attacker can exploit this vulnerability by uploading a malicious file—typically a PHP script—through the vulnerable plugin. Once the file is uploaded, the attacker can remotely execute commands on the web server, essentially gaining full control over the website and potentially the hosting environment.
An attack exploiting this vulnerability doesn’t require authentication, which significantly increases the risk, as any user or even an external unauthenticated adversary can carry out the attack. Once a malicious script is uploaded and executed, the attacker can use it to:
- Steal sensitive data (e.g., database credentials, user data).
- Execute arbitrary commands and scripts.
- Move laterally within the network to compromise additional systems.
- Establish persistence for prolonged access.
Threat actors leveraging such vulnerabilities often use automated tools or bots to scan and exploit vulnerable installations of web applications, including WordPress plugins like Revy. Key threat actors target such vulnerabilities to plant backdoors, steal data, and in some cases, deliver ransomware payloads.
The references provided, such as CVE Mitre, NVD, and Patchstack, confirm the critical nature of this vulnerability and provide detailed evidence and analysis. Pieces of information and potential exploit codes are shared among security communities to enable faster responses and patch applications. The plugin’s architecture itself is not inherently flawed, but the insufficient input validation check and improper file upload handling make it an easy target for skilled adversaries.
Versions beyond 1.18, if any, should ideally incorporate stronger sanitization and verification mechanisms to ensure files with dangerous types are properly filtered out before acceptance. Administrators using the Revy plugin must stay vigilant and proactive in applying security patches and updates when released by the vendor.
Regular security assessments and the implementation of additional security plugins or tools could also mitigate such vulnerabilities and thwart potential exploitation attempts.
Weakness
This vulnerability is primarily associated with CWE-434, Unrestricted Upload of File with Dangerous Type. It entails the acceptance and storage of files that can perform dangerous operations (like execution of code remotely) without proper validation or sanitization.
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data, execute arbitrary code on the affected system, plant backdoors, steal user information, and potentially deliver further malicious payloads such as ransomware.
Active Exploitation
We have observed activity from various adversaries targeting similar vulnerabilities in WordPress plugins. This particular vulnerability has been identified as highly likely to be actively exploited due to its critical nature and the ease of execution without requiring authentication.
Ransomware Association
The vulnerability has been linked to ransomware attacks, specifically where attackers exploit this vulnerability to gain initial access to the system, deploy web shells, and subsequently install ransomware like the ABC ransomware.
Mitigation and Resolution
We have released a patch that addresses this vulnerability. Please update to version 1.19 immediately, which incorporates enhanced file validation techniques to prevent the upload of potentially dangerous files.
Recommendations
- We strongly recommend that all customers apply the latest patch as soon as possible.
- Follow the steps to patch: Download the updated version from the vendor’s repository, deactivate the old plugin, upload and activate the new version.
- Conduct regular security assessments and vulnerability scans on your systems.
- Implement additional security measures such as web application firewalls (WAFs) that can intercept and block malicious file uploads.
- Regularly back up your data to ensure that recovery is possible in the event of an attack.
- Educate your administrators and developers on secure coding practices and the importance of validating user inputs.
- Monitor network traffic and access logs for any suspicious activity that may indicate exploitation attempts.
References