A couple of weeks ago we started seeing requests for a file from the plugin WP Editor and suspected that the requests were from someone looking for website using the plugin, to exploit some vulnerability in the plugin. After seeing that we starting trying to figure out what the hacker was hoping to exploit, so that we could make it was in our data set.
Since we didn’t have the plugin installed, we couldn’t see what the hacker would try to do if the file from the plugin had been there. We then went looking for any reports of vulnerabilities in the plugin, upon finding none and seeing the plugin hadn’t been updated in 8 months (so it wasn’t a situation where someone had worked out how to exploit a vulnerability that had been recently fixed by the developer) we started looking for vulnerabilities.
In a matter of minutes we found that the plugin had an authenticated arbitrary file upload vulnerability and an authenticated file modification vulnerability in the then current version, 18.104.22.168, of the plugin. Right after finding those we notified the Plugin Directory of the issue and the next morning we notified the developer of the plugin as well. While doing some more checking we found that there had also been an authenticated arbitrary file viewing vulnerability in the plugin. All of those vulnerabilities were fixed in version of 1.2.6 of the plugin.
What we still didn’t know is if those were the vulnerabilities that were attempted to be exploited or was there something still out there that we missed. While working on a follow up post based on that situation we took a look to see if anything else was now out there on this situation and we found a post that looks like it might have what lead to the hacking attempts. While the page is in Russian and machine translations of the page text don’t seem to very good, what is clear is that vulnerabilities listed there are the authenticated arbitrary file upload vulnerability and authenticated arbitrary file viewing vulnerability that we spotted previously. Since those have been fixed it looks like the plugin does not have known vulnerability in it at this point.