In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 23-24, 2023.
During this period, The National Vulnerability Database published 12, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 0
High: 5
Medium: 6
Low: 1
Severity Not Assigned: 0
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-6971
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: The Backup Migration plugin for WordPress is vulnerable to Remote File Inclusion in versions 1.0.8 to 1.3.9 via the 'content-dir' HTTP header. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. NOTE: Successful exploitation of this vulnerability requires that the target server's php.ini is configured with 'allow_url_include' set to 'on'. This feature is deprecated as of PHP 7.4 and is disabled by default, but can still be explicitly enabled in later versions of PHP.
References: https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/backup-heart.php
https://plugins.trac.wordpress.org/changeset/3012745/backup-backup
https://www.wordfence.com/threat-intel/vulnerabilities/id/b380283c-0dbb-4d67-9f66-cb7c400c0427?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-6972
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.9 via the 'content-backups' and 'content-name', 'content-manifest', or 'content-bmitmp' and 'content-identy' HTTP headers. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.
References: https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/backup-heart.php
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/bypasser.php
https://plugins.trac.wordpress.org/changeset/3012745/backup-backup
https://www.wordfence.com/threat-intel/vulnerabilities/id/0a3ae696-f67d-4ed2-b307-d2f36b6f188c?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-7002
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to, and including, 1.3.9 via the 'url' parameter. This vulnerability allows authenticated attackers, with administrator-level permissions and above, to execute arbitrary commands on the host operating system.
References: https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/ajax.php#L1503
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/ajax.php#L1518
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/ajax.php#L88
https://plugins.trac.wordpress.org/changeset/3012745/backup-backup
https://www.linuxquestions.org/questions/linux-security-4/php-function-exec-enabled-how-big-issue-4175508082/
https://www.wordfence.com/threat-intel/vulnerabilities/id/cc49db10-988d-42bd-a9cf-9a86f4c79568?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-5961
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A Cross-Site Request Forgery (CSRF) vulnerability has been identified in ioLogik E1200 Series firmware versions v3.3 and prior. An attacker can exploit this vulnerability to trick a client into making an unintentional request to the web server, which will be treated as an authentic request. This vulnerability may lead an attacker to perform operations on behalf of the victimized user.
References: https://www.moxa.com/en/support/product-support/security-advisory/mpsa-235250-iologik-e1200-series-web-server-vulnerability
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
5. CVE-2020-36769
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 3.7
Description: The Widget Settings Importer/Exporter Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wp_ajax_import_widget_dataparameter AJAX action in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with subscriber-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References: https://www.wordfence.com/blog/2020/04/unpatched-high-severity-vulnerability-in-widget-settings-importer-exporter-plugin/
https://www.wordfence.com/threat-intel/vulnerabilities/id/e14f0fc6-fca4-4dd7-8f7b-ed5ed535c9af?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 23-24, 2023.
During this period, The National Vulnerability Database published 12, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 0
High: 5
Medium: 6
Low: 1
Severity Not Assigned: 0
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-6971
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: The Backup Migration plugin for WordPress is vulnerable to Remote File Inclusion in versions 1.0.8 to 1.3.9 via the 'content-dir' HTTP header. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. NOTE: Successful exploitation of this vulnerability requires that the target server's php.ini is configured with 'allow_url_include' set to 'on'. This feature is deprecated as of PHP 7.4 and is disabled by default, but can still be explicitly enabled in later versions of PHP.
References: https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/backup-heart.php
https://plugins.trac.wordpress.org/changeset/3012745/backup-backup
https://www.wordfence.com/threat-intel/vulnerabilities/id/b380283c-0dbb-4d67-9f66-cb7c400c0427?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-6972
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.9 via the 'content-backups' and 'content-name', 'content-manifest', or 'content-bmitmp' and 'content-identy' HTTP headers. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.
References: https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/backup-heart.php
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/bypasser.php
https://plugins.trac.wordpress.org/changeset/3012745/backup-backup
https://www.wordfence.com/threat-intel/vulnerabilities/id/0a3ae696-f67d-4ed2-b307-d2f36b6f188c?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-7002
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to, and including, 1.3.9 via the 'url' parameter. This vulnerability allows authenticated attackers, with administrator-level permissions and above, to execute arbitrary commands on the host operating system.
References: https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/ajax.php#L1503
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/ajax.php#L1518
https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/ajax.php#L88
https://plugins.trac.wordpress.org/changeset/3012745/backup-backup
https://www.linuxquestions.org/questions/linux-security-4/php-function-exec-enabled-how-big-issue-4175508082/
https://www.wordfence.com/threat-intel/vulnerabilities/id/cc49db10-988d-42bd-a9cf-9a86f4c79568?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-5961
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A Cross-Site Request Forgery (CSRF) vulnerability has been identified in ioLogik E1200 Series firmware versions v3.3 and prior. An attacker can exploit this vulnerability to trick a client into making an unintentional request to the web server, which will be treated as an authentic request. This vulnerability may lead an attacker to perform operations on behalf of the victimized user.
References: https://www.moxa.com/en/support/product-support/security-advisory/mpsa-235250-iologik-e1200-series-web-server-vulnerability
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
5. CVE-2020-36769
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 3.7
Description: The Widget Settings Importer/Exporter Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wp_ajax_import_widget_dataparameter AJAX action in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with subscriber-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References: https://www.wordfence.com/blog/2020/04/unpatched-high-severity-vulnerability-in-widget-settings-importer-exporter-plugin/
https://www.wordfence.com/threat-intel/vulnerabilities/id/e14f0fc6-fca4-4dd7-8f7b-ed5ed535c9af?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found