Login

Tag Archives: Authenticated Arbitrary File Upload

7 Jun 2024

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Appointment Booking and Online Scheduling

One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of one of those vulnerabilities, an authenticated arbitrary file upload vulnerability in the plugin Appointment Booking and Online Scheduling.

We now are also running all the plugins used by our customers through that on a weekly basis to provide additional protection for them. [Read more]

16 Jan 2024

Did ChatGPT Write This Severely Vulnerable Code Added to the Sage AI Content Writer WordPress Plugin?

A lot has been made about the possible security risk with code created by ChatGPT whether in WordPress plugins or otherwise. A more pedestrian risk is that WordPress plugins that interact with that are themselves insecure, whether written by ChatGPT or not. On Friday, we found one of those had just added extremely vulnerable code that hackers would exploit. Another plugin added slightly less vulnerable code over the weekend.

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught such a vulnerability being added to Sage AI Content Writer. The vulnerability, an authenticated arbitrary file upload vulnerability, which, as the name suggests, allows someone logged in to WordPress to upload arbitrary files to the website. An attacker could upload a .php file with malicious code and takeover the website. [Read more]

7 Dec 2023

Digging In To The Authenticated Arbitrary File Upload Vulnerability in Elementor

Yesterday, an update was released for the 5+ million install WordPress plugin Elementor that has a changelog suggesting a security issue was addressed, “Fix: Improved code security enforcement in File Upload mechanism.” While looking into this, we found that Elementor appears to have multiple issues. We found the plugin did have an arbitrary file upload vulnerability, which you could argue is now fixed or not. Based on what we know now, we would say it is fixed, but there is still insecurity that remains, but there may be something we are missing. (Update 12/8: Elementor has released a second fix to address the remaining insecurity.) As we have been saying since April, we would recommend not using plugins from Elementor based on repeated incidents of poor security handling.

Other Providers’ Claims

It appears based on that changelog, the WordPress security provider Wordfence claimed there was a fixed or unfixed authenticated (Contributor+) arbitrary file upload to remote code execution via template import vulnerability in the plugin, which they described this way: [Read more]

9 Oct 2023

Another Hacker Targeted WordPress Plugin Still in Plugin Directory Despite Publicly Disclosed Unfixed Exploitable Vulnerability

On Friday, we saw a hacker probing for usage of the WordPress plugin Dropshipping & Affiliation with Amazon across our websites and other websites. As part of keeping track of vulnerabilities in WordPress plugins for our service, we needed to try to figure out what explained that interest. What we found was alarming, though unsurprising. Three days before that the WordPress security provider Patchstack had vaguely claimed the latest version of the plugin contained a fairly serious vulnerability. And yet as of writing, the vulnerable plugin still is available in the WordPress Plugin Directory. So something clearly has gone wrong here. And not for the first time, even very recently.

As with another recent instance of an unfixed vulnerability likely being targeted, it wouldn’t be hard for WordPress to release a fix to stop exploitation. That is something we have offered for years to help them with. They haven’t taken up our offer of help or dealt with it on their own. [Read more]

18 Sep 2023

Hacker Likely Targeting Unfixed Vulnerability in WordPress Plugin Mislabeled as Much Less Serious Vulnerability by Patchstack and Wordfence

Over the weekend, we saw one of the usual hackers probing for usage of WordPress plugins, probing for usage a plugin named Export Import Menus. That plugin was closed on the WordPress Plugin Directory on September 12, with no explanation for the closure. Before it was closed, WordPress listed it as having 10,000+ active installs. Upon seeing that, what we needed to figure out is what a hacker might be interested in exploiting in that and is that an already known issue. These days, hackers often target vulnerabilities being disclosed by other plugin vulnerability data providers. There was a recently disclosed vulnerability in the plugin, but one that wouldn’t be of much interest to hackers. With further checking, we found the vulnerability is actually much more serious than was claimed by other providers and would likely be a target for hackers.

If the team running the WordPress Plugin Directory had known about the severity of the vulnerability, they could and should have pushed out a fix for the vulnerability before a hacker started targeting the plugin. They also could have forced out an update to address it. Fixing it enough to prevent exploitation would have been very easy. It only takes two lines, which we show below. With the inaccurate information provided by other providers, though they wouldn’t know that this was a serious issue. [Read more]

12 Jun 2023

Hackers Likely Trying to Exploit This Partially Fixed Vulnerability in the WordPress Plugin Download Monitor

In the past few days we have seen what appear to be at least two hackers probing for usage of the WordPress plugin Download Monitor, which has 100,000+ installs. In looking into what might explain that, we found that there was a vulnerability that hackers would try to exploit that was partially fixed shortly before the probing started. Thankfully, there are some important limitations to it being exploitable.

The changelog for a recent version of the plugin had a concerning entry: [Read more]

7 Apr 2023

Authenticated Arbitrary File Upload Vulnerability in MapSVG

Over at our main business, we were recently cleaning up a hacked WordPress website. As part of that service, we run the plugins being used on the website through the same software we use to do proactive monitoring to catch serious vulnerabilities being introduced in to WordPress plugins. Through that we caught a couple of less serious vulnerabilities in the commercial plugin MapSVG. In line with our reasonable disclosure policy, we are disclosing the vulnerabilities as the developer hasn’t gotten back to us in a week since we notified them of the vulnerabilities (the developer never fixed a vulnerability we discovered in their free MapSVG Lite in 2019).

One of the vulnerabilities allows WordPress users with the edit_posts capability, which is normally users with the Contributor role and above, to upload arbitrary files to the website. [Read more]

19 May 2022

Contempo Real Estate Custom Posts WordPress Plugin Contains Authenticated Arbitrary File Upload Vulnerability

Last week the there was what looked to be a hacker probing for usage of the WordPress plugin Contempo Real Estate Custom Posts in third-party data we monitor, by requesting this file:

/wp-content/plugins/contempo-real-estate-custom-posts/readme.txt [Read more]

18 May 2022

Hacker Probably Targeting This Authenticated Arbitrary File Upload Vulnerability in WP ERP

Earlier this week Wordfence got press coverage for a situation where they were obliquely admitting they were way behind hackers. As they were claiming to have started seeing attacks against a vulnerability in a WordPress plugin on May 10, while publicly available data from the website abuseipdb.com was showing attacks at the end of March. On Monday data we monitor from that website showed that what looked to be a hacker probing for usage of the WordPress plugin WP ERP by requesting this file from it:

/wp-content/plugins/erp/readme.txt [Read more]