CVE-2023-2068
published 2023-06-27CVE-2023-2068: The File Manager Advanced Shortcode WordPress plugin through 2.3.2 does not adequately prevent uploading files with disallowed MIME types when using the…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
39.62%
98.4th percentile
The File Manager Advanced Shortcode WordPress plugin through 2.3.2 does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to RCE in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advancedfilemanager | file_manager_advanced_shortcode | <= 2.3.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for the multipart boundary string '----WebKitFormBoundaryI52DGCOt37rixRS1' in HTTP POST bodies to /wp-admin/admin-ajax.php, as this is the hardcoded boundary used by the public exploit. ↗
- →Look for GET requests to newly uploaded .php files under the WordPress uploads/file-manager directory immediately following a POST to admin-ajax.php with action=fma_load_shortcode_fma_ui, indicating webshell execution via ?cmd= parameter. ↗
- →Scan page source for the '_fmakey' token being exposed to unauthenticated users; its presence on a public-facing page indicates the shortcode is deployed in a vulnerable configuration exploitable without authentication. ↗
- ·The vulnerability is exploitable unauthenticated only when the File Manager Advanced Shortcode is placed on a public-facing page; if restricted to authenticated users, authentication is still required but the upload bypass still works. ↗
- ·The Shortcode plugin version 2.3.2 and lower are vulnerable; additionally, the parent File Manager Advanced plugin must be version 5.0.5 or lower to maintain the vulnerable configuration. ↗
- ·The exploit bypasses MIME type restrictions by supplying 'upload_allow=text/x-php' as a POST parameter, overriding the server-side allowed MIME type list; sites that explicitly block PHP MIME types at the web server level (e.g., via .htaccess or nginx config) may not be directly exploitable even if the plugin is vulnerable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6h38-5jv9-8r57: The File Manager Advanced Shortcode WordPress plugin through 2
ghsa_unreviewed·2023-06-27
CVE-2023-2068 [CRITICAL] CWE-434 GHSA-6h38-5jv9-8r57: The File Manager Advanced Shortcode WordPress plugin through 2
The File Manager Advanced Shortcode WordPress plugin through 2.3.2 does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to RCE in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users.
Red Hat
vim: Integer Overflow in :history command
vendor_redhat·2023-10-27·CVSS 4.0
CVE-2023-46246 [MEDIUM] CWE-190 vim: Integer Overflow in :history command
vim: Integer Overflow in :history command
Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function `ga_grow_inner` in in the file `src/alloc.c` at line 748, which is freed in the file `src/ex_docmd.c` in the function `do_cmdline` at line 1010 and then used again in `src/cmdhist.c` at line 759. When using the `:history` command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068.
Statement: Red Hat Product Security has rated this issue as having a Low security impact, because the "victim" has to run an untrusted file IN SCRIPT MODE. Someone who is running untrusted files in script mode is
No detection rules found.
Exploit-DB
File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)
exploitdb·2023-06-04·CVSS 9.8
CVE-2023-2068 [CRITICAL] File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)
File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)
---
# Exploit Title: File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)
# Date: 05/31/2023
# Exploit Author: Mateus Machado Tesser
# Vendor Homepage: https://advancedfilemanager.com/
# Version: File Manager Advanced Shortcode 2.3.2
# Tested on: Wordpress 6.1 / Linux (Ubuntu) 5.15
# CVE: CVE-2023-2068
import requests
import json
import pprint
import sys
import re
PROCESS = "\033[1;34;40m[*]\033[0m"
SUCCESS = "\033[1;32;40m[+]\033[0m"
FAIL = "\033[1;31;40m[-]\033[0m"
try:
COMMAND = sys.argv[2]
IP = sys.argv[1]
if len(COMMAND) > 1:
pass
if IP:
pass
else:
print(f'Use: {sys.argv[0]} IP COMMAND')
except:
pass
url = 'http://'+IP+'/' # Path to File Manager Advanced Shortcode P
Metasploit
Wordpress File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution through shortcode
metasploit
Wordpress File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution through shortcode
Wordpress File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution through shortcode
The Wordpress plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to RCE in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users, but is also works in an authenticated configuration. File Manager Advanced Shortcode plugin version `2.3.2` and lower are vulnerable. To install the Shortcode plugin File Manager Advanced version `5.0.5` or lower is required to keep the configuration vulnerable. Any user privileges can exploit this vulnerability which results in access to the underlying operating system with the same privileges under which the Wordpress
No writeups or analysis indexed.
http://packetstormsecurity.com/files/173735/WordPress-File-Manager-Advanced-Shortcode-2.3.2-Remote-Code-Execution.htmlhttps://wpscan.com/vulnerability/58f72953-56d2-4d86-a49b-311b5fc58056http://packetstormsecurity.com/files/173735/WordPress-File-Manager-Advanced-Shortcode-2.3.2-Remote-Code-Execution.htmlhttps://wpscan.com/vulnerability/58f72953-56d2-4d86-a49b-311b5fc58056
2023-06-27
Published