Updated: 03.01.2023
Subscriber+ Path Traversal Leading to Local File Inclusion in OceanWP Theme <= 3.4.1
Rafie Muhammad
from patchstack

If you’re a OceanWP user, please update the theme to at least version 3.4.2.

Patchstack Pro and Business users are protected from the vulnerability. You can also sign up the Patchstack Community plan to be notified about vulnerabilities as soon as they become disclosed.

For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies.

Introduction

The theme OceanWP (versions 3.4.1 and below, free version), which has over 700,000 active installations is known as one of the most popular free themes on WordPress. This theme considered to be lightweight and highly extendable, it will enable us to create almost any type of website such a blog, portfolio, business website and WooCommerce storefront with a beautiful & professional design.

This theme suffers from an authenticated Local File Inclusion (LFI) vulnerability. This vulnerability allows any authenticated user with minimum Subscriber user role to perform local file inclusion with limited .php file extension on the WordPress server. The described vulnerability was fixed in version 3.4.2 and assigned CVE-2023-23700.

The security vulnerability in OceanWP

https://patchstack.com/database/vulnerability/oceanwp/wordpress-oceanwp-theme-3-4-1-authenticated-local-file-inclusion-vulnerability

This is the first vulnerability I personally found in a WordPress theme. Generally, if we compare plugins and themes, we can see that themes tend to process user input much less frequently than plugins. This causes much less vulnerabilities to exist in themes than plugins.

The initial discovery of this vulnerability happened when we analyzed a few of the wp_ajax actions in the theme. One of the wp_ajax actions available is wp_ajax_oceanwp_cp_load_pane_action which will load the theme panel pane. This action is handled by the load_theme_panel_pane function:

/**
 * Load the pane by the slug name.
 *
 * This function is called via admin-ajax.php.
 */
public function load_theme_panel_pane() {
    $slug = esc_attr( $_POST['slug'] );
    ob_start();
    $this->print_pane( $slug );
    $pane_html = ob_get_clean();
    $pane_html = '<div class="oceanwp-tp-preloader"><div class="oceanwp-tp-loader"></div></div>' . $pane_html;
    wp_send_json_success( $pane_html );
    wp_die();
}

The function first will assign the $_POST['slug'] value that previously applied esc_attr function to the $slug variable. The code then will call $this->print_pane function with $slug variable as parameter.

/**
* Print pane HTML by slug.
*
* @param string $slug Pane ID.
*/
public function print_pane( $slug = '' ) {
    $sections = $this->get_sections();

    $default = reset( $sections );

    if ( empty( $slug ) ) {
        $slug = $default['href'];
    }

    $file = OCEANWP_THEME_PANEL_DIR . "/views/panes/{$slug}.php";

    // String pattern replace.
    $slug = str_replace( '-', '_', $slug );

    // Get file location.
    $file = apply_filters( "oceanwp_theme_panel_pane_{$slug}", $file );

    if ( file_exists( $file ) ) {
        include_once $file;
        return;
    }
}

The $slug variable will be formatted to the $file variable. The code then will re-assign the $file variable with the apply_filters function. Since the value passed to the apply_filters hook name is not valid, the $file variable is not modified.

Finally, the code will check if the $file exists using file_exists function and then will include the $file. With this condition, we are able to supply a path traversal payload to include a local arbitrary .php file.

The patch in OceanWP

Since this issue is mainly because the code tries to include some part of the file path from user input, the developer decided to applied basename function on the $slug variable. The patch can be found here :

Disclosure Timeline

15-02-2022 – We found the vulnerability and reached out to the theme vendor.
22-022022 – OceanWP theme version 3.4.2 published to patch the reported issues.
27-02-2023 – Added the vulnerabilities to the Patchstack vulnerability database.
01-03-2023 – Published the article.

Help us make the internet a safer place

Making WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.

  • If you’re a plugin developer, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
  • If you’re a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.
Share This Article
Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu