CVE-2023-51409: The Severe Vulnerability Threatening 50,000 WordPress Sites

CVE-2023-51409

The AI Engine plugin, a popular AI-related WordPress plugin with over 50,000 active installations, recently experienced a significant security vulnerability. This vulnerability tracked as CVE-2023-51409, classified as an “unauthenticated arbitrary file upload” issue, posed a severe risk to websites using the plugin.

At its core, this vulnerability allowed any unauthenticated user to upload arbitrary files, including PHP files. This capability could lead to remote code execution (RCE), a severe threat where an attacker could execute malicious code on the server hosting the website. The vulnerability was so critical that it received a Common Vulnerability Scoring System (CVSS) score of 10, indicating the highest severity level.

CVE-2023-51409

CVE-2023-51409 stemmed from the plugin’s ‘rest_upload’ function, which lacked adequate security checks for file uploads. This function, part of the plugin’s REST API, did not properly verify the type and extension of uploaded files. As a result, attackers could exploit this oversight to upload dangerous files, such as PHP scripts, which could then be executed on the server.

The root cause of this vulnerability was the absence of a proper ‘permission_callback’ parameter in the REST API endpoint. This oversight meant that any unauthenticated user could trigger the ‘rest_upload’ function, bypassing typical security measures that would restrict such actions to authenticated users.

classes/modules/files.php, function rest_api_init()

public function rest_api_init() {
register_rest_route( $this->namespace, '/files/upload', array(
'methods' => 'POST',
'callback' => array( $this, 'rest_upload' ),
'permission_callback' => '__return_true'
) );
register_rest_route( $this->namespace, '/files/delete', array(
'methods' => 'POST',
'callback' => array( $this, 'rest_delete' ),
'permission_callback' => '__return_true'
) );
}

Recognizing the severity of this issue, the developers of the AI Engine plugin promptly released an update in version 1.9.99. This update patched the vulnerability and closed the security gap that allowed unauthenticated file uploads.

For users of the AI Engine plugin, the immediate action is to ensure that their plugin is updated to version 1.9.99 or later. Website administrators should always stay vigilant and keep all plugins and the WordPress core updated to safeguard against such vulnerabilities.