CVE-2018-7422
published 2018-03-19CVE-2018-7422: A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the…
PriorityP181high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
63.10%
99.1th percentile
A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php, aka absolute path traversal.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| siteeditor | site_editor | <= 1.1.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php↗
url/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd↗
url/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=../../../../../../../wp-config.php↗
sigma↗
matchers: type: word, part: body, words: ["DB_NAME", "DB_PASSWORD"] condition: and; type: regex, part: body, regex: ["root:.*:0:0:"]
- →Look for GET requests targeting ajax_shortcode_pattern.php with an ajax_path parameter containing path traversal sequences (e.g., '../') or absolute paths (e.g., '/etc/passwd', '/etc/passwd') in web server access logs. ↗
- →The vulnerable parameter is ajax_path, supplied via $_REQUEST (GET or POST). Monitor for requests where ajax_path contains absolute paths or traversal sequences targeting sensitive files such as /etc/passwd or wp-config.php. ↗
- →Detect successful exploitation by inspecting HTTP response bodies for strings 'DB_NAME' and 'DB_PASSWORD' (wp-config.php exfiltration) or the regex pattern 'root:.*:0:0:' (/etc/passwd exfiltration). ↗
- →Flag any HTTP request to the path /wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php regardless of method (GET/POST), as this endpoint is the sole attack surface for CVE-2018-7422. ↗
- ·The vulnerability exists only in Site Editor plugin versions up to and including 1.1.1. Verify the installed plugin version before triaging alerts. ↗
- ·No fix was available at the time of public disclosure (March 2018). Confirm whether a patched version has since been released before relying solely on version-based detection. ↗
- ·The exploit requires no authentication (PR:N, UI:N per CVSS), meaning any unauthenticated remote request to the vulnerable endpoint with a crafted ajax_path is sufficient for exploitation. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pmwp-jmr4-5jjh: A Local File Inclusion vulnerability in the Site Editor plugin through 1
ghsa_unreviewed·2022-05-13
CVE-2018-7422 [HIGH] CWE-22 GHSA-pmwp-jmr4-5jjh: A Local File Inclusion vulnerability in the Site Editor plugin through 1
A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php, aka absolute path traversal.
VulnCheck
siteeditor site_editor Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2018·CVSS 7.5
CVE-2018-7422 [HIGH] siteeditor site_editor Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
siteeditor site_editor Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php, aka absolute path traversal.
Affected: siteeditor site_editor
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/
Exploit PoC: https://vulncheck.com/xdb/bcdd6092f636; https://vulncheck.com/xdb/ee0a8a694cfd; https://vulncheck.com/xdb/180caec8c9da; https
No detection rules found.
Exploit-DB
WordPress Plugin Site Editor 1.1.1 - Local File Inclusion
exploitdb·2018-03-23·CVSS 7.5
CVE-2018-7422 [HIGH] WordPress Plugin Site Editor 1.1.1 - Local File Inclusion
WordPress Plugin Site Editor 1.1.1 - Local File Inclusion
---
Product: Site Editor Wordpress Plugin - https://wordpress.org/plugins/site-editor/
Vendor: Site Editor
Tested version: 1.1.1
CVE ID: CVE-2018-7422
** CVE description **
A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php.
** Technical details **
In site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php:5, the value of the ajax_path parameter is used for including a file with PHP’s require_once(). This parameter can be controlled by an attacker and is not properly sanitized.
Vulnerable code:
if( isset( $_REQUEST['ajax
Nuclei
WordPress Site Editor <=1.1.1 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2018-7422 [HIGH] WordPress Site Editor <=1.1.1 - Local File Inclusion
WordPress Site Editor <=1.1.1 - Local File Inclusion
WordPress Site Editor through 1.1.1 allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php.
Template:
id: CVE-2018-7422
info:
name: WordPress Site Editor <=1.1.1 - Local File Inclusion
author: LuskaBol,0x240x23elu
severity: high
description: |
WordPress Site Editor through 1.1.1 allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php.
impact: |
An attacker can exploit this vulnerability to gain unauthorized access to sensitive files, potentially leading to further compromise of the system.
remediation: |
Update WordPress Site Editor plugin to the lat
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
2018-03-19
Published
Exploited in the wild