When it comes to our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities usually the code getting flagged by that is deep inside of other code, so confirming there is a vulnerability requires a bit of work. That wasn’t the case with the code added to the latest version of the plugin Analytics-Gtag that creates a restricted file upload vulnerability, which could most obviously be used to cause persistent cross-site scripting (XSS) since it allows arbitrary content to be written to a JavaScript file. It also could, say, be combined with a local file inclusion (LFI) vulnerability, to cause arbitrary code to be executed.

The new version of the plugin adds a file named creator.php, which will take the value of the GET input “param4”: [Read more]