Attack Chain

1. An unauthenticated attacker identifies a WordPress website using Anti-Malware Security and Bruteforce Firewall version 4.20.59.
2. The attacker crafts an HTTP POST request targeting the admin-ajax.php endpoint.
3. The request includes the action parameter set to duplicator_download.
4. The attacker manipulates the file parameter within the POST request to include path traversal sequences (e.g., ../../../../etc/passwd).
5. The WordPress server processes the request through the vulnerable plugin.
6. The plugin fails to properly sanitize or validate the file parameter, allowing the path traversal sequence to be processed.
7. The server attempts to read the file specified by the manipulated path.
8. The contents of the targeted file are returned in the HTTP response, allowing the attacker to read arbitrary files on the server.

Impact

Successful exploitation of this directory traversal vulnerability (CVE-2021-47977) allows unauthenticated attackers to read arbitrary files on the affected WordPress server. This could lead to the disclosure of sensitive information such as database credentials, configuration files, or other sensitive data stored on the system. The impact of this vulnerability is significant, as it could enable attackers to gain unauthorized access to the website’s database or other critical resources.

Recommendation

• Deploy the Sigma rule “Detect CVE-2021-47977 Exploitation Attempt - WordPress Anti-Malware Directory Traversal” to your SIEM to detect exploitation attempts targeting this vulnerability.
• Inspect webserver logs for suspicious POST requests to admin-ajax.php with the action parameter set to duplicator_download and the file parameter containing path traversal sequences, as highlighted in the Sigma rule (logsource: webserver, cs-uri-stem, cs-uri-query).
• Consider using a Web Application Firewall (WAF) to filter requests containing path traversal sequences to mitigate the risk of exploitation.