CVE-2022-0403 in Library File Manager Plugin
Summary
by MITRE • 04/04/2022
The Library File Manager WordPress plugin before 5.2.3 is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, as the options passed to the elFinder library does not restrict any file type, users with a role as low as subscriber can Create/Upload/Delete Arbitrary files and folders.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/06/2022
The CVE-2022-0403 vulnerability affects the Library File Manager WordPress plugin version 5.2.2 and earlier, presenting a critical security risk through the use of an outdated elFinder library component. This vulnerability stems from the plugin's reliance on elFinder version 2.1.55, which contains known security flaws including CVE-2021-32682, a vulnerability that allows for arbitrary file operations. The core issue lies in the plugin's connector AJAX action which lacks proper authorization mechanisms and Cross-Site Request Forgery (CSRF) protections, creating an attack surface that permits any authenticated user to execute malicious file operations regardless of their role level.
The technical flaw manifests through the absence of role-based access controls within the plugin's file management interface, allowing users with minimal privileges such as subscribers to perform dangerous operations including file creation, upload, and deletion. This vulnerability directly maps to CWE-285, which addresses insufficient authorization in software systems, and represents a clear violation of the principle of least privilege. The elFinder library configuration does not implement proper file type restrictions, enabling attackers to upload malicious files with various extensions, potentially including executable scripts or web shells that could compromise the entire WordPress installation.
The operational impact of this vulnerability is severe as it transforms any authenticated user account into a potential vector for remote code execution and persistent access to the compromised system. Attackers can leverage this vulnerability to upload malicious files that may serve as backdoors, data exfiltration tools, or to establish persistence within the WordPress environment. The lack of CSRF protection means that attackers could potentially trick users into performing malicious actions through social engineering techniques, while the absence of proper authentication checks allows for automated exploitation. This vulnerability can be classified under ATT&CK technique T1078 which covers Valid Accounts and T1505.003 which addresses Server Software Component, making it particularly dangerous in multi-user environments where subscriber accounts might be compromised.
Organizations should immediately update the Library File Manager plugin to version 5.2.3 or later, which includes patches addressing the outdated elFinder library and implements proper authorization controls. The mitigation strategy should also include implementing additional security measures such as restricting file upload capabilities at the web server level, monitoring for unauthorized file operations, and ensuring that all WordPress plugins are kept current with security updates. Network-level monitoring should be implemented to detect suspicious file upload activities, and access controls should be reviewed to minimize the privileges of low-level user accounts. The vulnerability highlights the importance of maintaining up-to-date third-party libraries and implementing proper input validation and access control mechanisms in web applications.