CVE-2021-47965: WordPress WP Super Edit Plugin Unrestricted File Upload

The WordPress WP Super Edit plugin, specifically versions 2.5.4 and earlier, is vulnerable to unrestricted file uploads due to a flaw in the integrated FCKeditor component. This vulnerability, identified as CVE-2021-47965, allows unauthenticated attackers to bypass file type validation and upload arbitrary files, including malicious PHP scripts or executables. By exploiting this vulnerability via the filemanager upload endpoint, attackers can achieve remote code execution on the target web server, potentially leading to complete system compromise. The vulnerability poses a significant risk to websites using the affected plugin versions, potentially impacting sensitive data, user accounts, and overall website functionality.

Attack Chain

1. An unauthenticated attacker identifies a WordPress website using a vulnerable version (<=2.5.4) of the WP Super Edit plugin.
2. The attacker accesses the filemanager upload endpoint, typically found within the FCKeditor component’s directory.
3. The attacker crafts a malicious HTTP POST request to the upload endpoint.
4. Within the POST request, the attacker includes a payload, such as a PHP script containing malicious code, disguised with a manipulated file extension (e.g., “shell.php.jpg”).
5. Due to the missing or inadequate file type validation, the web server stores the malicious file in the upload directory.
6. The attacker determines the file’s location on the server.
7. The attacker then sends a new HTTP request to execute the uploaded PHP script, triggering remote code execution.
8. The attacker gains control of the web server, potentially installing malware, exfiltrating data, or performing other malicious actions.

Impact

Successful exploitation of CVE-2021-47965 allows unauthenticated attackers to upload arbitrary files, leading to remote code execution and complete system compromise. Affected websites could suffer data breaches, defacement, malware infections, and loss of service. Given the wide use of WordPress, this vulnerability poses a high risk to a large number of websites, especially those that have not updated their plugins.

Recommendation

• Immediately update the WP Super Edit plugin to a version higher than 2.5.4 to patch CVE-2021-47965.
• Deploy the Sigma rules provided in this brief to your SIEM to detect exploitation attempts targeting the filemanager upload endpoint.
• Implement web application firewall (WAF) rules to block requests with suspicious file extensions or content targeting the FCKeditor upload directory.