WordPress Plugin Vulnerability Report – SiteOrigin Widgets Bundle – Authenticated (Admin+) Local File Inclusion – CVE-2023-6295

Plugin Name: SiteOrigin Widgets Bundle

Key Information:

  • Software Type: Plugin
  • Software Slug: so-widgets-bundle
  • Software Status: Active
  • Software Author: gpriday
  • Software Downloads: 36,509,376
  • Active Installs: 600,000
  • Last Updated: November 27, 2023
  • Patched Versions: 1.51.0
  • Affected Versions: <= 1.50.1

Vulnerability Details:

  • Name: SiteOrigin Widgets Bundle < 1.51.0 - Authenticated (Admin+) Local File Inclusion
  • Title: Authenticated (Admin+) Local File Inclusion
  • Type: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
  • CVE: CVE-2023-6295
  • CVSS Score: 7.4 (High)
  • Publicly Published: November 27, 2023
  • Researcher: Sebastian Neef
  • Description: The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.50.1. This makes it possible for authenticated attackers, with administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Summary:

The SiteOrigin Widgets Bundle for WordPress has a vulnerability in versions up to and including 1.50.1 that allows authenticated users with admin access to include arbitrary local files. This vulnerability has been patched in version 1.51.0.

Detailed Overview:

In SiteOrigin Widgets Bundle versions up to and including 1.50.1, there is an improper control of the filename for include/require statements in the PHP code. This makes it possible for authenticated users with admin access or above to execute arbitrary PHP code by including malicious files stored on the server. The vulnerability was reported by researcher Sebastian Neef.

This introduces several risks, as attackers could bypass access controls, obtain sensitive data stored on the server, or achieve remote code execution by including file types that can contain executable PHP code.

To remediate this vulnerability, users should update to version 1.51.0 or later, which contains the fix by properly sanitizing user input used in include/require statements.

Advice for Users:

  1. Immediate Action: Update to the latest patched version 1.51.0 or higher as soon as possible.
  2. Check for Signs of Vulnerability: Review server logs for any unexpected include or require statements. Also check for unexpected files or command execution on your system.
  3. Alternate Plugins: Consider alternate gallery or widget plugins such as Widget Logic or Widget Options as a precaution.
  4. Stay Updated: Always keep plugins updated to avoid vulnerabilities. Monitor the SiteOrigin Widgets Bundle plugin for notifications.

Conclusion:

The prompt patch released for this critical vulnerability shows the plugin authors are staying on top of security issues. Users should install version 1.51.0 immediately to close this vulnerability on their WordPress sites.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/so-widgets-bundle

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/so-widgets-bundle/siteorigin-widgets-bundle-1510-authenticated-admin-local-file-inclusion

Detailed Report:

Keeping your WordPress site secure should be a top priority – but with plugins and themes constantly being updated, it can be challenging to stay on top of everything. Unfortunately, running outdated software leaves you vulnerable to attackers exploiting newly discovered security flaws.

Case in point: researchers recently disclosed a critical vulnerability in versions 1.50.1 and below of the popular SiteOrigin Widgets Bundle plugin, which to date has over 36 million downloads. This plugin allows users to build custom, responsive widgets with images, media, maps and more.

The vulnerability allows authenticated users with at least Admin access to remotely execute malicious code on vulnerable websites. Specifically, improper input sanitization enables malicious users to inject arbitrary files from the server into include and require statements. This could permit access bypass, data exposure, or even full remote code execution capabilities.

While the plugin developers have now issued a patch in version 1.51.0, any site still running an older version is put at serious risk. Based on over 600,000 active installs, that’s a lot of WordPress sites potentially compromised by this one vulnerability.

If exploited, this flaw enables attackers to potentially fully compromise WordPress sites. They could steal data, inject malware, ransomware and more. Unfortunately, this is not the first major security issue found in the SiteOrigin Widgets Bundle. Previous cross-site scripting, access bypass and information disclosure bugs have also surfaced over the past 2 years.

So what’s an owner of a WordPress site using this plugin to do? First and foremost, if you have the SiteOrigin Widgets Bundle installed, update it to the latest patched release (1.51.0) immediately. You’ll also want to watch closely for any strange activity on your site that could indicate exploitation. Secondly, adopt the habit of routinely checking and upgrading any plugins you use to avoid nasty surprises in the future.

As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.

Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.

WordPress Plugin Vulnerability Report – SiteOrigin Widgets Bundle – Authenticated (Admin+) Local File Inclusion – CVE-2023-6295 FAQs

Leave a Comment