CVE-2021-38360
📋 TL;DR
The wp-publications WordPress plugin contains a local file inclusion vulnerability in the Q_FILE parameter of bibtexbrowser.php. This allows attackers to include local ZIP files and achieve remote code execution. WordPress sites using wp-publications version 0.0 or earlier are affected.
💻 Affected Systems
- wp-publications WordPress plugin
📦 What is this software?
Wp Publications by Wp Publications Project
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise with attacker gaining complete control over the WordPress site and potentially the underlying server through remote code execution.
Likely Case
Website defacement, data theft, malware installation, or use as part of a botnet for further attacks.
If Mitigated
Limited impact if proper file permissions and web application firewalls block malicious requests.
🎯 Exploit Status
Exploitation requires crafting requests to the vulnerable endpoint with malicious Q_FILE parameters. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 0.0 (plugin appears abandoned with no official fix)
Vendor Advisory: https://www.wordfence.com/vulnerability-advisories/#CVE-2021-38360
Restart Required: No
Instructions:
1. Remove the wp-publications plugin entirely. 2. Delete all plugin files from the WordPress installation. 3. Consider alternative publication plugins with active maintenance.
🔧 Temporary Workarounds
Block access to vulnerable file
allAdd web server rules to block access to bibtexbrowser.php
For Apache: add 'Deny from all' to .htaccess in plugin directory
For Nginx: add 'location ~ bibtexbrowser\.php$ { deny all; }' to site config
Web Application Firewall rule
allBlock requests containing malicious Q_FILE parameters
WAF rule: Block requests where Q_FILE parameter contains '..' or 'zip' patterns
🧯 If You Can't Patch
- Remove the wp-publications plugin completely
- Implement strict file permissions (644 for files, 755 for directories) and disable PHP execution in upload directories
🔍 How to Verify
Check if Vulnerable:
Check if wp-publications plugin exists in /wp-content/plugins/ directory and if bibtexbrowser.php file is present.Check Version:
Check WordPress admin panel > Plugins page or examine wp-publications/readme.txt fileVerify Fix Applied:
Confirm the wp-publications plugin folder has been completely removed from the WordPress installation.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-content/plugins/wp-publications/bibtexbrowser.php with Q_FILE parameter
- Requests containing '..' or 'zip' in parameters
- Unexpected file inclusion errors in web server logs
Network Indicators:
- Unusual POST/GET requests to the vulnerable endpoint
- Traffic patterns suggesting file inclusion attempts
SIEM Query:
web.url:*bibtexbrowser.php* AND (web.query:Q_FILE=*..* OR web.query:Q_FILE=*zip*)🔗 References
- https://plugins.trac.wordpress.org/browser/wp-publications/trunk/bibtexbrowser.php?rev=1830330#L49
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-38360
- https://plugins.trac.wordpress.org/browser/wp-publications/trunk/bibtexbrowser.php?rev=1830330#L49
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-38360
