CVE-2023-5311: CVE-2023-5311

Missing Authorization to .htaccess File lead to RCE

The minimum permission that a subscriber should have typically doesn’t include the ability to upload or overwrite files like .htaccess. However, if there is a vulnerability or misconfiguration that allows a subscriber to perform such actions, it could potentially lead to a successful Remote Code Execution (RCE) attack on the server.

• In the register function, using any of the three different methods, we can completely upload the .htaccess file by utilizing one of the parameters: htaccess_root, htaccess_includes, and htaccess_content.

if (!empty($_POST[‘save_root’])) {

if (isset($_POST[‘wp_extra’][‘htaccess_root’])) {

$htaccess_root = trim(stripslashes($_POST[‘wp_extra’][‘htaccess_root’]));

@file_put_contents($path_root, $htaccess_root);

if (!empty($_POST[‘save_content’])) {

if (isset($_POST[‘wp_extra’][‘htaccess_content’])) {

$htaccess_content = trim(stripslashes($_POST[‘wp_extra’][‘htaccess_content’]));

if (!file_exists($path_content)) {

@file_put_contents($path_content, $htaccess_content);

if (!empty($_POST[‘save_includes’])) {

if (isset($_POST[‘wp_extra’][‘htaccess_includes’])) {

$htaccess_includes = trim(stripslashes($_POST[‘wp_extra’][‘htaccess_includes’]));

if ($htaccess_includes) {

if (!file_exists($path_includes)) {

@file_put_contents($path_includes, $htaccess_includes);

Despite being blacklisted, it is still possible to configure the .htaccess file to treat this file extension as executable, similar to a regular PHP file, enabling Remote Code Execution (RCE) to be performed.

Thanks for reading, have a nice day ​