A critical Local File Inclusion (LFI) vulnerability has been identified in the HTML filter and csv-file search plugin. This vulnerability could allow a malicious actor to include local files of the target website and show its output on the screen. Files that store credentials, such as database credentials, could potentially allow complete database takeover depending on the configuration.
Alex Thomas discovered and reported this vulnerability.
This vulnerability is caused by a flaw in the way that the HTML filter and csv-file search plugin handle user input. The vulnerability allows an attacker to exploit a flaw in the plugin’s code to include local files of the affected website.
Severity
Critical (CVSS 3.1 score of 8.8)
Affected Versions
All versions of the HTML filter and csv-file search plugin prior to 2.8
Impact
If a malicious actor is able to exploit this vulnerability, they could:
- Include local files of the target website and show its output on the screen.
- Access sensitive files, such as database credentials.
- Gain complete control of the website.
Recommendation
Immediate action is required to mitigate this critical vulnerability:
- Update immediately: Update the HTML filter and csv-file search plugin to the latest available version (at least 2.8). This vulnerability has been fixed in version 2.8.
- Verification of Update: After updating the plugin, confirm that the installed version is 2.8 or a later iteration. Review the changelog for indications of security enhancements.
- Best Security Practices: Implement supplementary security precautions such as deploying a reputable WordPress security plugin, practicing robust password policies, and conducting regular backups of the website.
- User and Team Awareness: Share information regarding the update and the security precautions taken with the website’s users and administrators. Elevate awareness among team and associates concerning the importance of defending against security vulnerabilities.