Login

Tag Archives: Arbitrary File Upload

10 Apr 2019

Vulnerability Details: Arbitrary File Upload in Zielke Specialized Catalog

Recently, in looking into what might explain how plugins end up with serious vulnerabilities that hackers would be likely to exploit, what we have been seeing is that developers of those plugins are making numerous coding errors and clearly not testing their code. That was the case of the code that got flagged in Zielke Specialized Catalog by our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities.

[Read more]

5 Apr 2019

Arbitrary File Upload Vulnerability in SupportCandy

When it comes to security of WordPress plugins, what other security companies generally do is to add protection against vulnerabilities after they have already been widely exploited, which it should be pretty obvious doesn’t produce good results. By comparison, we do proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities, but we only have so much time to do that with the amount of customers we have, so we have a backlog of possible vulnerabilities that didn’t look like serious issues that we haven’t had time to get to. Sometimes, as is the case, with the plugin SupportCandy when the plugin comes up again with that proactive monitoring we realize that vulnerability was more serious, as the plugin contains an arbitrary file upload vulnerability, which is the kind that hackers are likely to exploit.

What is odd about the arbitrary file upload vulnerability is that the developer has had file upload capability that was at least partially secured for some time and then added new functionality that is totally insecure back in January. [Read more]

27 Mar 2019

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Child Themes Helper

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated arbitrary file upload vulnerability in the plugin Child Themes Helper, which is also exploitable through cross-site request forgery (CSRF). That occurs in an AJAX accessible function and it looks like a number of other ones are also insecure and contain vulnerabilities, one of the more serious we will detail in a follow up post.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

4 Jan 2019

A Hacker Is Probably Already Exploiting This Arbitrary File Upload Vulnerability in a WordPress Plugin

In the last several days someone started making requests using Tor nodes for the file /wp-content/plugins/image-clipboard/readme.txt, which is a file from the WordPress plugin Clipboard Images. That would likely be a hacker probing for usage of the plugin, which has 800+ active installations according to wordpress.org, before exploiting a vulnerability in it. After we noticed that activity this morning we went to look over the code to see if we could find a vulnerability that hackers would be likely to exploit in it and it took only moments to find what in all likelihood is already being exploited.

Making that relatively easy to do is the plugin only contains a single function that contains any code of a substantial nature. That function is named save_image() and it is accessible through WordPress AJAX functionality to those logged in as well as those not logged in to WordPress: [Read more]

3 Jan 2019

Vulnerability Details: Arbitrary File Upload in JS Job Manager

One of the changelog entries for the latest version of JS Job Manager is “Security fix for ajax actions”. Looking at the changes made in that version we found that the function ajaxhandler() was changed to limit which of the plugin’s functions can be accessed through it.

[Read more]

3 Jan 2019

Our Plugin Security Checker Can Now Spot More Possible Issues Leading to Arbitrary File Upload Vulnerabilities

As we have mentioned before, we recently improved our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins, to build on code we had developed for our Plugin Security Checker, an automated tool you can use to check if plugins you use contain possible security issues. That in turn has allowed us to easily test out new checks for our Plugin Security Checker across a lot of code before introducing it to the public, which makes it easier to improve that tool while not causing unnecessary issues for people using the Plugin Security Checker. One of the checks we have been testing out has now spotted one of the most likely to be exploited types of vulnerabilities, an arbitrary file upload vulnerability, in the plugin Buddy Share It Allusers FB YR, which would allow a hacker to take control of website by adding a file with malicious code to it.

This vulnerability is yet another good reason to check plugins you use through our Plugin Security Checker since it can now alert you if plugins you use possibly contain a similar issue (and possibly contain a lot of other serious vulnerabilities). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately. [Read more]

19 Dec 2018

Our Proactive Monitoring Caught an Arbitrary File Upload Vulnerability Being Introduced In To a Plugin That Works With WooCommerce

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we just caught one of the most likely to be exploited types of vulnerabilities being introduced in to a plugin. That being an arbitrary file upload vulnerability, which provides hackers with an easy way of gaining complete access to a website since they can upload a file with whatever malicious code they want and then cause that to run. The plugin itself, 3D Product configurator for WooCommerce, isn’t popular, with “Fewer than 10” installations according to wordpress.org, but in yet another reminder that those using WooCommerce need to be concerned about the security of any plugins they use with that, this is yet another WooCommerce tied plugin we have recently found a fairly serious security issue with.

This vulnerability is yet another good reason to check plugins you use through our Plugin Security Checker since it can alert you if plugins you use possibly contain a similar issue (and possibly contain a lot of other serious vulnerabilities). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately. [Read more]

8 Aug 2018

Arbitrary File Upload Vulnerability Being Exploited in Current Version of Ultimate Member

The WordPress plugin Ultimate Member was recently brought on to our radar after it had been run through our Plugin Security Checker and that tool had identified a possible vulnerability in it. We happened to take a look into that as part of continued effort to improve the results coming from that tool. We confirmed that there was a vulnerability and notified the developer. The developer responded that they would fix that as soon as possible, but it has been nearly month and that hasn’t happened. In line with our disclosure policy we are scheduled to be disclosing that vulnerability on Friday. Thankfully that vulnerability isn’t something that is likely to be exploited in an untargeted hack, but there is another vulnerability that is presently being exploited in the current version, 2.0.21, of the plugin.

Yesterday we were contacted about a thread on the WordPress Support Forum discussing that possibility. In that thread the developer responded more than a day ago with: [Read more]

16 May 2018

Our Proactive Monitoring Caught a Newly Introduced Arbitrary File Upload Vulnerability in a Plugin with 50,000+ Active Installations

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability in a fairly popular plugin, of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which  is now accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our service as well as separately).

In the plugin KingComposer, which has 50,000+ active installations according to wordpress.org, version 2.7 introduced functionality for uploading extensions. That functionality is accessible to anyone, even those without access to admin page that is intended to be initiated from. That currently allows uploading arbitrary files, including malicious files, if the Extensions admin page of the plugin has ever been visited prior to the attempted exploitation. [Read more]

5 Mar 2018

Vulnerability Details: Arbitrary File Upload Vulnerability in Open Flash Chart Core

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor what look to be hacking attempts on our websites. Through that we recently came across a request for a file, /wp-content/plugins/open-flash-chart-core-wordpress-plugin/open-flash-chart-2/php-ofc-library/ofc_upload_image.php, which would be from the plugin Open Flash Chart Core.

We immediately recognized that file as being one from the library Open Flash Charts, which was discovered to have an arbitrary file upload vulnerability in 2009. In the case of this plugin a new version was released years ago to fix this by removing the vulnerable file. [Read more]