CVE-2018-5749 – CVE-2018-5749 is an unauthenticated remote code... (How to Fix)

Q: What is the severity of CVE-2018-5749?

CVE-2018-5749 has a CVSS score of 9.8 (CRITICAL). CVE-2018-5749 is an unauthenticated remote code execution vulnerability in Minecraft Servers List plugins. Attackers can inject arbitrary PHP code through database configuration parameters during installation, potentially gaining full control of affected WordPress sites. This affects WordPress administrators using vulnerable versions of these plugins.

📋 TL;DR

CVE-2018-5749 is an unauthenticated remote code execution vulnerability in Minecraft Servers List plugins. Attackers can inject arbitrary PHP code through database configuration parameters during installation, potentially gaining full control of affected WordPress sites. This affects WordPress administrators using vulnerable versions of these plugins.

💻 Affected Systems

Products:

Minecraft Servers List Lite
Premium Minecraft Servers List

Versions: Minecraft Servers List Lite before commit c1cd164; Premium Minecraft Servers List before 2.0.4

Operating Systems: Any OS running WordPress with affected plugins

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the installation script (install.php) which may remain accessible after initial setup if not properly removed.

📦 What is this software?

Minecraft Servers List Lite by Minecraft Servers List Lite Project

View all CVEs affecting Minecraft Servers List Lite →

Premium Minecraft Servers List by Premium Minecraft Servers List Project

View all CVEs affecting Premium Minecraft Servers List →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to execute arbitrary commands, install backdoors, steal data, deface websites, or pivot to internal networks.

🟠

Likely Case

Website defacement, malware installation, credential theft, and unauthorized access to the WordPress database and server.

🟢

If Mitigated

Limited impact with proper input validation, file permissions, and network segmentation preventing code execution or lateral movement.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable without authentication via publicly accessible install.php script.

🏢 Internal Only: LOW - The vulnerability requires access to the installation interface, which is typically internet-facing for WordPress plugins.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - attackers send malicious POST requests to install.php with PHP code in database parameters. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Minecraft Servers List Lite: commit c1cd164 or later; Premium Minecraft Servers List: 2.0.4 or later

Vendor Advisory: https://www.rastating.com/minecraft-servers-list-unauthenticated-shell-upload/

Restart Required: No

Instructions:

1. Update to patched versions via WordPress admin panel. 2. Remove any existing install.php files if they remain. 3. Verify connect.php doesn't contain malicious code. 4. Change database credentials.

🔧 Temporary Workarounds

Remove install.php

linux

Delete or restrict access to the vulnerable install.php file

rm /path/to/wordpress/wp-content/plugins/minecraft-servers-list/install.php

Restrict file permissions

linux

Set strict permissions on connect.php and other plugin files

chmod 644 /path/to/wordpress/wp-content/plugins/minecraft-servers-list/connect.php

🧯 If You Can't Patch

Immediately remove or disable the Minecraft Servers List plugin
Implement web application firewall rules to block requests to install.php and suspicious POST parameters

🔍 How to Verify

Check if Vulnerable:

Check if install.php exists in the plugin directory and examine its code for input sanitization of database parameters.

Check Version:

Check WordPress plugin page or examine plugin header in main plugin file

Verify Fix Applied:

Verify plugin version is updated and install.php is removed or contains proper input validation/sanitization.

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-content/plugins/minecraft-servers-list/install.php
Unusual file creation in plugin directories
Database connection errors with suspicious parameters

Network Indicators:

HTTP requests with PHP code in database_server, database_user, database_password, or database_name parameters

SIEM Query:

source="web_logs" AND uri="/wp-content/plugins/minecraft-servers-list/install.php" AND method="POST"

📊 Metadata

CVE ID: CVE-2018-5749

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: January 23, 2018

Last Updated: November 21, 2024

🔗 References

https://www.rastating.com/minecraft-servers-list-unauthenticated-shell-upload/ Exploit,Mitigation,Patch,Third Party Advisory
https://www.rastating.com/minecraft-servers-list-unauthenticated-shell-upload/ Exploit,Mitigation,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-5749, you might also want to check these: