03 Jun

Arbitrary File Upload Vulnerability in BePro Listings

One of the ways we make sure that we are providing the best vulnerability data possible to our customers is by monitoring attempts to exploit WordPress plugins on our websites. Now for the third time in less than month this has lead to us finding new vulnerabilities being exploited.

This time it started with a request for the file /wp-content/plugins/bepro-listings/css/generic_listings_1.css on this website. That is a file from the plugin BePro Listings, which we don’t have installed. Since we don’t have it installed there wouldn’t be a reason for someone to be requesting it in normal circumstances, which usually indicates that someone is looking to see if the plugin is installed before trying to exploit a vulnerability in it. Since it isn’t installed, we couldn’t see what the hacker was looking to exploit in it.

It only took a quick look to identify two serious vulnerabilities in the plugin. The first of which is likely the one being exploited.

The plugin allows new listing to be created using the [create_listing_form] shortcode. That listing form includes three file upload fields:

bepro-listings-file-upload

No restriction is placed on what kind of file can be uploaded, so you can upload malicious .php files or anything else. The files are placed in the standard WordPress upload directory (/wp-content/uploads/[year]/[month]/), so they are accessible to hacker after being uploaded.

Proof of Concept

Create a new post with the [create_listing_form] shortcode in it.

Fill in the form, making sure to include a file upload.

Your selected file will be located in the WordPress upload directory, this month that would be /wp-content/plugins/2016/16/.

Timeline

  • 6/2/2016 – Developer notified.
  • 6/3/2016 – WordPress.org Plugin Directory notified.
  • 6/3/2016 – Plugin removed from the Plugin Directory.
  • 7/6/2016 – Version 2.2.0021, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *