In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.
Shell Upload Vulnerability in Social Share Buttons for WordPress
The report of a claimed shell upload vulnerability in Social Share Buttons for WordPress claims that it allows “Unrestricted Upload of File with Dangerous Type”. Strangely the report includes the full contents of one file from the plugin, but not the one that would actually handle uploads. Instead the file is a frontend for sending requests to the actually relevant file. If you look at the file that actually handles the uploads it restricts the extensions of files that can be uploaded to the following:
$allowed_ext = "jpg,jpeg,gif,png,bmp";
Arbitrary File Upload Vulnerability in Baggage Freight Shipping Australia
The claimed arbitrary file upload vulnerability in the plugin Baggage Freight Shipping Australia is a good reminder of the need to actually test things out instead of glancing at code and assuming it will work. In this case while the code shown certainly could introduce a vulnerability, but it won’t work since the directory the file would be saved to, /wp-content/plugins/wp-content/plugins/baggage_shipping/upload/, wouldn’t exist and with the function handling the upload, move_uploaded_file(), the directory would already need to exist for that to be able to save the file. The upload code doesn’t even work if accessed as intended as it would try to save the file to a directory that doesn’t exist either, /wp-content/plugins/baggage_shipping/upload/.