Skip to content
Threat Feed
high advisory

WordPress Anti-Malware Security and Bruteforce Firewall Directory Traversal Vulnerability

WordPress Anti-Malware Security and Bruteforce Firewall 4.20.59 contains a directory traversal vulnerability (CVE-2021-47977) that allows unauthenticated attackers to read arbitrary files by manipulating the file parameter in requests to admin-ajax.php.

CVE-2021-47977 is a directory traversal vulnerability affecting version 4.20.59 of the WordPress Anti-Malware Security and Bruteforce Firewall plugin. Unauthenticated attackers can exploit this vulnerability to read arbitrary files on the server by crafting malicious requests to the admin-ajax.php endpoint. The vulnerability is triggered when the duplicator_download action is called with a manipulated file parameter containing path traversal sequences (e.g., ../). Successful exploitation allows attackers to access sensitive files outside the intended directory, potentially exposing configuration files, database credentials, or other sensitive information. This vulnerability poses a significant risk to WordPress websites using the affected plugin.

Attack Chain

  1. An unauthenticated attacker identifies a WordPress website using Anti-Malware Security and Bruteforce Firewall version 4.20.59.
  2. The attacker crafts an HTTP POST request targeting the admin-ajax.php endpoint.
  3. The request includes the action parameter set to duplicator_download.
  4. The attacker manipulates the file parameter within the POST request to include path traversal sequences (e.g., ../../../../etc/passwd).
  5. The WordPress server processes the request through the vulnerable plugin.
  6. The plugin fails to properly sanitize or validate the file parameter, allowing the path traversal sequence to be processed.
  7. The server attempts to read the file specified by the manipulated path.
  8. The contents of the targeted file are returned in the HTTP response, allowing the attacker to read arbitrary files on the server.

Impact

Successful exploitation of this directory traversal vulnerability (CVE-2021-47977) allows unauthenticated attackers to read arbitrary files on the affected WordPress server. This could lead to the disclosure of sensitive information such as database credentials, configuration files, or other sensitive data stored on the system. The impact of this vulnerability is significant, as it could enable attackers to gain unauthorized access to the website’s database or other critical resources.

Recommendation

  • Deploy the Sigma rule “Detect CVE-2021-47977 Exploitation Attempt - WordPress Anti-Malware Directory Traversal” to your SIEM to detect exploitation attempts targeting this vulnerability.
  • Inspect webserver logs for suspicious POST requests to admin-ajax.php with the action parameter set to duplicator_download and the file parameter containing path traversal sequences, as highlighted in the Sigma rule (logsource: webserver, cs-uri-stem, cs-uri-query).
  • Consider using a Web Application Firewall (WAF) to filter requests containing path traversal sequences to mitigate the risk of exploitation.

Detection coverage 2

Detect CVE-2021-47977 Exploitation Attempt - WordPress Anti-Malware Directory Traversal

high

Detects CVE-2021-47977 exploitation attempt - directory traversal in WordPress Anti-Malware Security and Bruteforce Firewall plugin by detecting path traversal sequences in the 'file' parameter of requests to admin-ajax.php.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detect CVE-2021-47977 - WordPress Anti-Malware - Request Encoding Evasion

high

Detects CVE-2021-47977 exploitation attempt with URL encoded traversal characters in WordPress Anti-Malware plugin.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →