プラットフォーム
wordpress
コンポーネント
wpdirectorykit
修正版
1.1.10
CVE-2023-2278 is a critical Local File Inclusion (LFI) vulnerability affecting the WP Directory Kit plugin for WordPress. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions of the plugin up to and including 1.1.9. A patch is available; upgrading is the recommended remediation.
The impact of CVE-2023-2278 is severe. An attacker exploiting this LFI vulnerability can execute arbitrary PHP code on the web server. This can lead to a complete takeover of the WordPress site, including data exfiltration, modification of website content, and installation of malicious software. The attacker could potentially gain access to sensitive data stored within the WordPress database, such as user credentials, customer information, and financial data. Furthermore, the attacker could leverage the compromised server to launch attacks against other systems on the network, significantly expanding the blast radius. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain code execution.
CVE-2023-2278 was publicly disclosed on June 13, 2023. The vulnerability is considered highly exploitable due to its unauthenticated nature and the ease with which an attacker can include arbitrary files. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk of exploitation. While no active campaigns have been definitively linked to this CVE as of this writing, the severity and ease of exploitation warrant immediate attention. It is not currently listed on the CISA KEV catalog.
Websites using the WP Directory Kit plugin, particularly those running older versions (≤1.1.9) and those with limited security configurations, are at significant risk. Shared hosting environments where multiple websites share the same server are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'wdk_public_action' /var/www/html/wp-content/plugins/wp-directory-kit/• wordpress / composer / npm:
wp plugin list | grep 'wp-directory-kit'• wordpress / composer / npm:
wp plugin update wp-directory-kit• generic web: Check WordPress plugin directory for updated versions and security advisories. • generic web: Review web server access logs for suspicious requests targeting the vulnerable endpoint.
disclosure
エクスプロイト状況
EPSS
0.66% (71% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2023-2278 is to upgrade the WP Directory Kit plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting file upload permissions to prevent attackers from uploading malicious PHP files. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious file paths or patterns. Regularly review WordPress plugin installations and remove any unused or outdated plugins. After upgrading, verify the fix by attempting to access a non-existent PHP file through the vulnerable endpoint and confirming that access is denied.
WP Directory Kitプラグインを最新バージョンにアップデートしてください。この脆弱性はローカルファイルインクルージョン (Local File Inclusion) を可能にし、サーバー上で任意のコードが実行される可能性があります。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2023-2278 is a critical Local File Inclusion (LFI) vulnerability in the WP Directory Kit plugin for WordPress versions up to 1.1.9, allowing attackers to execute arbitrary PHP code.
If you are using WP Directory Kit plugin version 1.1.9 or earlier, you are vulnerable to this LFI exploit.
Upgrade the WP Directory Kit plugin to the latest available version to patch the vulnerability. If immediate upgrade is not possible, implement temporary workarounds like restricting file upload permissions.
While no confirmed active campaigns have been publicly reported, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation.
Check the WP Directory Kit plugin's official website and WordPress plugin repository for security advisories and updates related to CVE-2023-2278.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。