Login

Tag Archives: Arbitrary File Upload

5 Mar 2018

Vulnerability Details: Arbitrary File Upload Vulnerability in IP-Logger

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor what look to be hacking attempts on our websites. Through that we recently came across a request for a file, /wp-content/plugins/ip-logger/chart/ofc_upload_image.php, which would be from the plugin IP-Logger. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

We immediately recognized that file as being one from the library Open Flash Charts, which was discovered to have an arbitrary file upload vulnerability in 2009. In the case of this plugin a new version was never released to fix the issue. [Read more]

5 Feb 2018

Our Plugin Security Checker Would Have Warned You About This Arbitrary File Upload Vulnerability in a WordPress Plugin

One of things that we do to make sure that we provide our customers with the best data on vulnerabilities in WordPress plugins is to monitor the WordPress Support Forum for threads that are related to those. Through that we recently ran across a review of the plugin user files that made this claim:

Even the simplest attack as SQL Injection can be done with this. [Read more]

29 Jan 2018

Arbitrary File Upload Vulnerability in WordPress Forms

Over at our main business we clean up a lot of hacked websites. Based on how often we are brought in to re-clean websites after another company (including many well known names) has failed to even attempt to properly clean things up, our service in general is much better than many other options out there. But when cleaning up hacked WordPress websites we throw in a couple of extras related to this service. The first being a free lifetime subscription to this service and the second being that we check over all the installed plugins using same checks we do as part of our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities.

Recently that lead to us checking the plugin WordPress Forms, which was removed from the Plugin Directory by the developer five years ago (but is still has 500+ active installs according to wordpress.org). When we did that, we found that it contained an arbitrary file upload vulnerability. [Read more]

27 Nov 2017

Did the WordPress Plugin Directory Know That PHP Event Calendar Contains an Exploitable Vulnerability?

A day ago we had what looks to be a request from a hacker for a file that would be located at /wp-content/plugins/php-event-calendar/server/file-uploader/index.php. That would be a file in the plugin PHP Event Calendar. In the Plugin Directory the plugin “has been closed and is no longer available for download”, but no reason is given as to why that is.

In looking around we couldn’t find any public disclosure of a security issue related to that file. [Read more]

22 Nov 2017

Arbitrary File Upload Vulnerability in Wallable

A month ago we wrote about how the security review of newly submitted plugins to the WordPress Plugin Directory needs improvement. One of the newly introduced plugins that lead to that post was the plugin Wallable. We came across the plugin through our proactive monitoring of changes made to plugins to try to catch serious vulnerabilities. The possible vulnerability that had been identified in the plugin was an arbitrary file upload vulnerability and when we went to look into that we found that not only did that issue exist, but the plugin was fairly insecure in a more general fashion.

In three locations in the code the plugin would upload arbitrary files. Two of those are located in the function frontend_do_tasks().  When we went to test out exploiting one of those we found that the plugin would cause a fatal error before that could happen when not logged in to WordPress. [Read more]

16 Oct 2017

Is This Another Case of a Malicious Takeover of a WordPress Plugin?

In our previous post we noted how we had found that the plugin Facebook Like Box had recently had a cross-site request forgery (CSRF) related vulnerability fixed. In looking over what else had recently been done with the plugin we noticed in the previous release one of the changelog entries was “Fixed Security Bugs”.

Looking at the changes made in that version several pieces of code that had been removed stood out. At first we noticed code another CSRF related vulnerability, this time the CSRF vulnerability could lead to an arbitrary file upload vulnerability (in the file /cardoza_facebook_like_box.php): [Read more]

20 Sep 2017

Arbitrary File Upload Vulnerability in All Post Contact Form

Through the proactive monitoring of changes in WordPress plugins for serious vulnerabilities we do, we recently found an an arbitrary file upload vulnerability in the All Post Contact Form plugin.

When the plugins shortcode, rlallpostcontactform, is on a post or page the the file /allpost-contactform-core.php is included. In that file the following code is run: [Read more]

6 Sep 2017

Arbitrary File Upload Vulnerability in Woocommerce Product Designer

Last week we looked a recent example of the security industry vastly overstating the impact of a vulnerability, in that instance it involved a reflected cross-site scripting (XSS) vulnerability in a plugin used with the popular WordPress eCommerce plugin WooCommerce. What that situation also highlighted is the poor state of detection of vulnerabilities in WordPress plugins. Here is what the discoverer SiteLock wrote about finding it:

Our automated scanner alerted us to an XSS vulnerability on a customer’s website, which we determined was due to the WooCommerce “Product Vendors” plugin. What was unusual in this case is that the vulnerable plugin was, at the time, the most recent version, so no patches were yet available for the vulnerability. We immediately contacted Automattic concerning our findings in following our Responsible Disclosure Policy, provided all relevant information on the vulnerability, and coordinated this disclosure. [Read more]

14 Jun 2017

Vulnerability Details: File Manager Access Vulnerability in WP File Manager

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

[Read more]

20 Apr 2017

Arbitrary File Upload Vulnerability in WooCommerce Catalog Enquiry

One of the ways we keep track of vulnerabilities in WordPress plugins so that we can provide our customers with the best data on vulnerabilities in WordPress plugins is by monitoring the Support Forum on wordpress.org for threads related to those. Through that yesterday we came across a thread discussing that the demo website for the plugin WooCommerce Catalog Enquiry contained malware. It suggested that it was possible the issue was related to a vulnerability in the plugin. Looking over the code we quickly found an arbitrary file upload vulnerability in the plugin, which could allow an attacker to upload malicious files to the website. It isn’t clear if the demo website was exploited through this or if the vulnerability has been exploited yet and we haven’t seen evidence through other channels we monitor of any exploitation, but considering the ease we had finding it would be good idea to assume this is already being exploited at this point.

WordPress Forum Moderators Interrupt Responsible Disclosure

We notified the developer of the plugin of the issue yesterday, but have yet to hear back from them. This morning the thread had been updated with a response from the developer that read in part: [Read more]