WordPress Health Check & Troubleshooting Local File Inclusion Scanner

WordPress Health Check & Troubleshooting is a popular plugin used by WordPress administrators to diagnose and troubleshoot issues within their WordPress installations. It's commonly utilized by users to ensure their site is running optimally and securely. The plugin provides essential tools for debugging and managing conflicts, especially during plugin and theme changes. With its user-friendly interface, even non-developers can make use of its functionalities to maintain their site. The WordPress community often relies on this plugin as part of their routine maintenance tasks to maintain the site's integrity and performance.

The Local File Inclusion (LFI) vulnerability allows malicious users to navigate files on the server that should not be accessible, potentially exposing sensitive data. This vulnerability can exist when an application constructs a path to executable code using unsanitized input. Exploitation generally requires some form of authentication, but it might not impose heavy access control measures if not adequately secured. LFI vulnerabilities can lead to data leaks, code execution, and control over the compromised environment, depending on the system configuration. It's a severe security concern, especially for web applications that manage user data.

In the case of WordPress Health Check & Troubleshooting, the LFI vulnerability is exploited through the `admin-ajax.php` endpoint. Attackers with authenticated access can invoke dangerous file paths by manipulating the 'file' parameter in requests, exploiting its non-sanitized input handling. The vulnerable parameter is 'file' used in the 'action=health-check-view-file-diff' POST request. The endpoint fails to properly validate the legitimacy of file paths, allowing attackers to use directory traversal methods to access server files. With improper handling of this parameter, sensitive server files such as '/etc/passwd' become accessible.

Exploiting this LFI vulnerability could result in unauthorized access to sensitive server files, ultimately leading to data leaks or potentially providing a foothold for further system attacks. Malicious actors may read password and configuration files, gaining insight into system architectures to craft additional attack vectors. The unauthorized retrieval of proprietary code or data might compromise the confidentiality, integrity, or availability of user data. This type of vulnerability is particularly significant in environments running on default configurations or lacking robust access controls.

REFERENCES

• https://wpscan.com/vulnerability/5eecc4a7-0b44-495d-9352-78dccebfc72a
• https://www.synacktiv.com/ressources/advisories/WordPress_Health_Check_1.2.3_Vulnerabilities.pdf