CVE-2023-5099
📋 TL;DR
This vulnerability in the HTML filter and csv-file search WordPress plugin allows authenticated attackers with contributor-level permissions or higher to perform Local File Inclusion via the 'csvsearch' shortcode. Attackers can include and execute arbitrary PHP files on the server, potentially leading to remote code execution, data theft, or privilege escalation. WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WordPress HTML filter and csv-file search plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via arbitrary PHP code execution, leading to complete data exfiltration, website defacement, or ransomware deployment.
Likely Case
Unauthorized access to sensitive files, privilege escalation to administrator, or backdoor installation for persistent access.
If Mitigated
Limited impact if proper file permissions restrict PHP execution in upload directories and contributor accounts are tightly controlled.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once attacker has contributor credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.8 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2985200/hk-filter-and-search
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'HTML filter and csv-file search'. 4. Click 'Update Now' if available, or manually update to version 2.8+. 5. Verify plugin is active and functioning.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched version can be installed
wp plugin deactivate hk-filter-and-search
Restrict contributor accounts
allTemporarily disable or audit all contributor-level user accounts
🧯 If You Can't Patch
- Remove or restrict 'csvsearch' shortcode usage across the site
- Implement web application firewall rules to block LFI patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'HTML filter and csv-file search' version ≤2.7Check Version:
wp plugin get hk-filter-and-search --field=versionVerify Fix Applied:
Confirm plugin version is 2.8 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual file inclusion attempts in web server logs
- Multiple failed authentication attempts followed by successful contributor login
- POST requests containing 'csvsearch' shortcode with unusual 'src' parameters
Network Indicators:
- HTTP requests with file path traversal patterns in 'src' parameter
- Unexpected PHP file executions from non-standard locations
SIEM Query:
source="web_server" AND (uri="*csvsearch*" AND (param="*../*" OR param="*/etc/*" OR param="*php://*"))🔗 References
- https://plugins.trac.wordpress.org/changeset/2985200/hk-filter-and-search
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ee2b4055-8cbd-49b7-bb0b-eddef85060fc?source=cve
- https://plugins.trac.wordpress.org/changeset/2985200/hk-filter-and-search
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ee2b4055-8cbd-49b7-bb0b-eddef85060fc?source=cve
