cbcvebase.
CVE-2018-7422
published 2018-03-19

CVE-2018-7422: A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the…

PriorityP181high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
63.10%
99.1th percentile
A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php, aka absolute path traversal.

Affected

1 ranges
VendorProductVersion rangeFixed in
siteeditorsite_editor<= 1.1.1

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php
url/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
url/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=../../../../../../../wp-config.php
filenameajax_shortcode_pattern.php
sigma
matchers: type: word, part: body, words: ["DB_NAME", "DB_PASSWORD"] condition: and; type: regex, part: body, regex: ["root:.*:0:0:"]
  • Look for GET requests targeting ajax_shortcode_pattern.php with an ajax_path parameter containing path traversal sequences (e.g., '../') or absolute paths (e.g., '/etc/passwd', '/etc/passwd') in web server access logs.
  • The vulnerable parameter is ajax_path, supplied via $_REQUEST (GET or POST). Monitor for requests where ajax_path contains absolute paths or traversal sequences targeting sensitive files such as /etc/passwd or wp-config.php.
  • Detect successful exploitation by inspecting HTTP response bodies for strings 'DB_NAME' and 'DB_PASSWORD' (wp-config.php exfiltration) or the regex pattern 'root:.*:0:0:' (/etc/passwd exfiltration).
  • Flag any HTTP request to the path /wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php regardless of method (GET/POST), as this endpoint is the sole attack surface for CVE-2018-7422.
  • ·The vulnerability exists only in Site Editor plugin versions up to and including 1.1.1. Verify the installed plugin version before triaging alerts.
  • ·No fix was available at the time of public disclosure (March 2018). Confirm whether a patched version has since been released before relying solely on version-based detection.
  • ·The exploit requires no authentication (PR:N, UI:N per CVSS), meaning any unauthenticated remote request to the vulnerable endpoint with a crafted ajax_path is sufficient for exploitation.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.