Someone reported to us that our Plugin Vulnerabilities Firewall had blocked an attempt to exploit what turned out to be an arbitrary file upload vulnerability in the plugin Advert Manager. The blocked request was sent to the plugin’s file /upload-file.php. The relevant code that allows arbitrary file uploads in the file is this:

2
3
4

$uploaddir = 'uploads/';
$file = $uploaddir . basename($_FILES['uploadfile']['name']); 
if (move_uploaded_file($_FILES['uploadfile']['tmp_name'], $file)) {