We received a vulnerability notice from Martin H, a security researcher at Patchstack.com that discovered and reported a Local File Inclusion vulnerability in the CSS & JavaScript Toolbox plugin in versions 12.0.1 and lower. It is important to upgrade as soon as possible.
The report mentioned the below:
How to reproduce
The plugin has internal routing, which uses the GET parameter “controller”. The value of the parameter is concatenated to a php file path, which will be included with “require_once”. The parameter is vulnerable to path traversal and arbitrary php files can be included.
1. Install plugin as normal – then hit the custom button “Install” to fully install the plugin
2. Visit as Subscriber: http://wordpress-instance/wp-admin/admin-ajax.php?action=cjtoolbox_api&controller=../../../../wp-content/plugins/css-javascript-toolbox/includes/html/incompatible_cjtplus_version.html
3. See that wp-content/plugins/css-javascript-toolbox/includes/html/incompatible_cjtplus_version.html.php is included.
You can also of course use your own php file to include as a PoC (you have to ommit the “.php” suffix).
Additional information by researcher
The vulnerable script is in css-javascript-toolbox/framework/mvc/controller.inc.php:
$controllerFile = “{$pathToControllers}/{$name}.php”;
require_once self::trigger(‘CJTController.loadcontroller’, $controllerFile, $name);
The $name is in control of the attacker. There is a “.php” suffix, so only php files can be included.
