Extensive VC Addons for WPBakery Page Builder Unauthenticated Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the Extensive VC Addons for WPBakery Page Builder WordPress plugin, affecting versions prior to 1.9.1. The vulnerability arises because the plugin fails to properly validate a parameter passed to the PHP extract function when loading templates. This lack of validation allows an unauthenticated attacker to manipulate the template path, potentially leading to the reading of arbitrary files from the host's file system. Furthermore, this file inclusion can be escalated to remote code execution by exploiting PHP filter chains.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the server where the vulnerable WordPress site is hosted.

Reproduction

The vulnerability can be reproduced by sending a POST request to 'wp-admin/admin-ajax.php' with the 'action' parameter set to 'extensive_vc_init_shortcode_pagination'. The 'options[template]' parameter can be manipulated to include a PHP filter that reads sensitive files, such as the '/etc/passwd' file. Once the local file inclusion is successful, the same 'options[template]' parameter can be used to execute arbitrary PHP code by injecting a payload that is processed by the PHP interpreter.

Remediation

Users are advised to update the Extensive VC Addons for WPBakery Page Builder WordPress plugin to version 1.9.1 or later.