Hackers Actively Exploiting WordPress Plugin Arbitrary File Upload Vulnerability

Hackers have been actively exploiting a critical vulnerability in the WordPress plugin 简数采集器 (Keydatas).

The vulnerability, CVE-2024-6220, allows unauthenticated threat actors to upload arbitrary files to a vulnerable site, potentially leading to remote code execution and complete site takeover.

This alarming development underscores the importance of maintaining updated plugins and robust security measures.

Discovery and Initial Response

On June 18, 2024, during the 0-day Threat Hunt Promo of Wordfence’s Bug Bounty Program, a researcher known as Foxyyy discovered and responsibly reported the vulnerability.

The flaw was found in the Keydatas plugin, which has over 5,000 active installations. The vulnerability was quickly confirmed, and active exploitation attempts were observed within days.

CVE-2024-6220­ – Vulnerability Details

The vulnerability summary from Wordfence Intelligence reveals a critical flaw in the 简数采集器 (Keydatas) plugin for WordPress, affecting all versions up to and including 2.5.2.

Identified as CVE-2024-6220, this vulnerability allows unauthenticated arbitrary file uploads due to missing file type validation in the keydatas_downloadImages function.

Attribute	Details
Description	简数采集器 (Keydatas) <= 2.5.2 – Unauthenticated Arbitrary File Upload
Affected Plugin	简数采集器 (Keydatas)
Plugin Slug	keydatas
Affected Versions	<= 2.5.2
CVE ID	CVE-2024-6220
CVSS Score	9.8 (Critical)
CVSS Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher	Foxyyy
Fully Patched Version	2.6.1
Bounty Award	$488.00
Vulnerability Details	The vulnerability stems from missing file type validation in the keydatas_downloadImages function, allowing attackers to upload arbitrary files, including malicious PHP scripts, to the WordPress uploads directory. This directory is publicly accessible, enabling remote code execution.

Technical Analysis

The Keydatas plugin connects a WordPress site with the keydatas.com app, primarily used to manage WordPress posts. The plugin’s keydatas_post_doc() function includes a password check, but the default password is set to “keydatas.com”.

$kds_password = get_option('keydatas_password', "keydatas.com"
$post_password = keydatas_getPostValSafe('kds_password');
if (empty($post_password) || $post_password != $kds_password) {
    keydatas_failRsp(1403, "password error", "提交的发布密码错误");
}

If site owners do not change this default password, attackers can exploit the plugin’s functions, including the vulnerable keydatas_downloadImages() function.

$docImgsStr = keydatas_getPostValSafe("__kds_docImgs");
if (!empty($docImgsStr)) {
    $docImgs = explode(',',$docImgsStr);
    if (is_array($docImgs)) {
        $upload_dir = wp_upload_dir();
        foreach ($docImgs as $imgUrl) {
            $urlItemArr = explode('/',$imgUrl);
            $itemLen=count($urlItemArr);
            if($itemLen>=3){
                //
                $fileRelaPath=$urlItemArr[$itemLen-3].'/'.$urlItemArr[$itemLen-2];
                $imgName=$urlItemArr[$itemLen-1];
                $finalPath=$upload_dir['basedir'] . '/'.$fileRelaPath;
                if (wp_mkdir_p($finalPath)) {
                    $file = $finalPath . '/' . $imgName;
                    if(!file_exists($file)){
                        $doc_image_data = file_get_contents($imgUrl);
                        file_put_contents($file, $doc_image_data);
                    }
                }
            }
        }//.for
    }//..is_array
}

The function downloads files specified in the __kds_docImgs request parameter using file_get_contents() and uploads them to the WordPress uploads directory using file_put_contents().

The lack of file type or extension checks allows attackers to upload malicious PHP files, potentially compromising site sites.

Top Attacking IP Addresses

• 103.233.8.166 (Hong Kong)
• 103.233.8.0 (Hong Kong)
• 163.172.77.82 (France)
• 84.17.37.217 (Hong Kong)
• 84.17.57.0 (Hong Kong)

Wordfence Premium, Care, and Response users received a firewall rule to protect against this vulnerability on June 20, 2024.

Free users received the same protection on July 20, 2024. The Keydatas team was contacted on June 20, 2024, but after no response, the issue was escalated to the WordPress.org Security Team, leading to the plugin’s closure on July 16, 2024.

A patch was released on July 29, 2024. Users are urged to update to the latest patched version, 2.6.1, immediately.

To safeguard against such exploits, plugins must be regularly updated, vulnerability scans conducted, and robust firewall protection employed.

The active exploitation of the CVE-2024-6220 vulnerability in the Keydatas plugin highlights the critical need for vigilance in maintaining website security.

By staying informed and proactive, website owners can protect their sites from malicious attacks and ensure a safer web environment for all.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access