Arbitrary File Upload Vulnerability in BePro Listings
One of the ways we make sure that we are providing the best vulnerability data possible to our customers is by monitoring attempts to exploit WordPress plugins on our websites. Now for the third time in less than month this has lead to us finding new vulnerabilities being exploited.
This time it started with a request for the file /wp-content/plugins/bepro-listings/css/generic_listings_1.css on this website. That is a file from the plugin BePro Listings, which we don’t have installed. Since we don’t have it installed there wouldn’t be a reason for someone to be requesting it in normal circumstances, which usually indicates that someone is looking to see if the plugin is installed before trying to exploit a vulnerability in it. Since it isn’t installed, we couldn’t see what the hacker was looking to exploit in it.
It only took a quick look to identify two serious vulnerabilities in the plugin. The first of which is likely the one being exploited.
The plugin allows new listing to be created using the [create_listing_form] shortcode. That listing form includes three file upload fields:
No restriction is placed on what kind of file can be uploaded, so you can upload malicious .php files or anything else. The files are placed in the standard WordPress upload directory (/wp-content/uploads/[year]/[month]/), so they are accessible to hacker after being uploaded.
Proof of Concept
Create a new post with the [create_listing_form] shortcode in it.
Fill in the form, making sure to include a file upload.
Your selected file will be located in the WordPress upload directory, this month that would be /wp-content/plugins/2016/16/.
Timeline
- 6/2/2016 – Developer notified.
- 6/3/2016 – WordPress.org Plugin Directory notified.
- 6/3/2016 – Plugin removed from the Plugin Directory.
- 7/6/2016 – Version 2.2.0021, which fixes vulnerability.