Multiple vulnerabilities in Nevma Adaptive Images for WordPress



Published: 2019-07-19 | Updated: 2019-09-23
Risk High
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2019-14205
CVE-2019-14206
CWE-ID CWE-98
CWE-22
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Vulnerable software
Subscribe
Adaptive Images for WordPress
Web applications / Modules and components for CMS

Vendor Nevma

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) PHP file inclusion

EUVDB-ID: #VU19312

Risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-14205

CWE-ID: CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to include arbitrary file on the system.

The vulnerability exists due to input validation error when processing directory traversal sequences passed via the "$_REQUEST['adaptive-images-settings']['source_file']" parameter in "adaptive-images-script.php". A remote attacker can set in an arbitrary way the file requested that will be served from the script.

PoC:

http://[host]/wp-content/uploads/2019/05/image.jpg?adaptive-images-settings[source_file]=../../../wp-config.php

http://[host]/wp-content/uploads/2019/05/image.jpg?adaptive-images-settings[source_file]=/etc/passwd




Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adaptive Images for WordPress: 0.2.08 - 0.6.66

External links

http://github.com/markgruffer/markgruffer.github.io/blob/master/_posts/2019-07-19-adaptive-images-for-wordpress-0-6-66-lfi-rce-file-deletion.markdown
http://markgruffer.github.io/2019/07/19/adaptive-images-for-wordpress-0-6-66-lfi-rce-file-deletion.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Path traversal

EUVDB-ID: #VU19313

Risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-14206

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to the plugin contains a cache mechanism that allows the generated resized images to be saved and cached to prevent excessive resources usage. A remote attacker can send a specially crafted file and delete arbitrary files on the system.

The only condition to successfully exploit this vulnerability is that the file that we pass as "$source_file" is newer than the file that we pass as "$cache_file".

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adaptive Images for WordPress: 0.2.08 - 0.6.66

External links

http://github.com/markgruffer/markgruffer.github.io/blob/master/_posts/2019-07-19-adaptive-images-for-wordpress-0-6-66-lfi-rce-file-deletion.markdown
http://markgruffer.github.io/2019/07/19/adaptive-images-for-wordpress-0-6-66-lfi-rce-file-deletion.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###