As we continue review old third-party data on hacking attempts to identity more vulnerabilities that hackers have likely already discovered in WordPress plugins we spotted an arbitrary file upload vulnerability in the plugin Attachment Manager.

Back in June of last year a request was made for the file /wp-content/plugins/attachment-manager/xavisys-plugin-framework.css, for what was likely a probe for usage of the plugin before exploiting it. Looking over that plugin for any obvious issues we found that in version 2.1.1 a file upload capability is accessible without being logged in, despite only being intended to be accessed by users logged in as Administrators. [Read more]