CIBELES AI WordPress Plugin Unauthenticated Arbitrary File Upload Vulnerability

A vulnerability allowing arbitrary file uploads has been identified in the CIBELES AI WordPress plugin, affecting versions through 1.10.8. The issue arises from a lack of proper capability checks in the 'actualizador_git.php' file, which is accessible via HTTP without authentication. This vulnerability enables unauthenticated attackers to download arbitrary GitHub repositories, overwrite plugin files on the server, and potentially execute remote code.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which could be used to execute malicious code on the server.

Reproduction

To reproduce this vulnerability, send a request to the 'actualizador_git.php' file within the CIBELES AI WordPress plugin directory. Include the 'owner', 'repo', 'ref', and 'token' parameters. The 'token' parameter should be a GitHub personal access token. The script will download the specified repository as a ZIP file, extract it, and overwrite existing plugin files. After uploading a web shell, access it through the 'shell.php' file in the plugin directory.

Remediation

Users are advised to update the CIBELES AI WordPress plugin to version 1.10.9 or later.