_{As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them.}

Recently a report claiming there a vulnerability that allowed the uploading of .php files through the  jQuery Html5 File Upload plugin was released. The validity of this report seemed suspect based on the proof of concept provided:

<center>
<br><br><br><br><br><br><br><br><br><br><br><br><br>
<font face="Iceland" color="red" size="7">jQuery File Upload By Hacker Khan</font><br>
<form method="POST" action="target.com/
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>

There is a HTML form in that, but there isn’t even the HTML code to submit the form included. After fixing up the proof of concept, we tried it and found that when we tried to upload a .php file we got the following error “Filetype not allowed”, so it seemed the plugin was properly not allowing a .php file to be uploaded.

Looking at the code confirmed that. Starting on line 367 of the file /UploadHandler.php the file extension is checked:

 if (!preg_match($this->options['accept_file_types'], $file->name)) {
 $file->error = $this->get_error_message('accept_file_types');
 return false;
 }

Filling in the variables in the first line of that, the code looks like:

if (!preg_match(/\.(gif|jpeg|jpg|png)$/i, test.php)) {

So the code checks if the file name ends with .gif, .jpeg, .jpg, or .png by default, which it doesn’t if the extension of the file is .php.