Login

Tag Archives: Authenticated Arbitrary File Upload

2 Mar 2020

Hackers May Already Be Targeting This Authenticated Arbitrary File Upload Vulnerability in WP Ultimate CSV Importer

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. There was probing on our website yesterday for the plugin WP Ultimate CSV Importer by requesting these files:

  • /wp-content/plugins/wp-ultimate-csv-importer/assets/css/deps/csv-importer-free.css
  • /wp-content/plugins/wp-ultimate-csv-importer/wp-ultimate-csv-importer.md

Like the previous plugins we discussed last week that appear to be targeted by this campaign, the plugin is very insecure. The most serious vulnerability we noticed in that would probably be an authenticated arbitrary file upload vulnerability. [Read more]

7 Oct 2019

What Security Review? Brand New WordPress Plugin Contains Authenticated Arbitrary File Upload Vulnerability

Brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory. Either those reviews are not happening or they are failing to catch things that should have been caught. Take the brand new plugin Word Of The Day, which we came across due our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities flagging that it possibly contained an arbitrary file upload vulnerability, which is a type of vulnerability likely to be exploited. In reviewing this we found that it does contain authenticated variant of that, which can also be exploited through cross-site request forgery (CSRF).

We have long offered to provide the team running the Plugin Directory help to have a capability similar to that monitoring. Running the plugin through our Plugin Security Checker would have warned about that as well. We have also long offered the team running the Plugin Directory free access to the advanced mode of that tool for free. We haven’t heard any interest from that team to either of those offers. [Read more]

31 Jul 2019

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Being Introduced in to uListing

One of the ways we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated arbitrary file upload vulnerability being introduced in to the plugin uListing, which can also be exploited through cross-site request forgery (CSRF). The vulnerability occurs in code handled through WordPress’ REST API, which is increasingly a vector through which vulnerabilities in WordPress plugins are accessible. (We have included checking over functionality running through the REST API in our security reviews of WordPress plugins since earlier this year due the prevalence of issues.)

The plugin registers the function upload_file() to be accessible through WordPress REST API as part of new import/export functionality: [Read more]

28 Jun 2019

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in the WordPress Plugin MapSVG Lite

If you were already using our service you would know that the plugin MapSVG Lite isn’t secure as there was unfixed vulnerability disclosed at the beginning of the year. If you were relying on other data sources there is good chance you wouldn’t know that since the ultimate source of a lot of those, the WPScan Vulnerability Database, claims that it was fixed:

[Read more]

12 Jun 2019

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability Being Introduced in to a Woocommerce Extending Plugin

When it comes the security of WordPress plugins the unfortunate reality is that the same problems occur over and over and yet it seems we are largely alone in being interested in trying to take actions to address those. One of the issues with that is that what we can do is limited, most of the changes require the people in charge of the Plugin Directory being willing to work with others to fix them, which isn’t happening as they seem to be detached from reality and are unwilling to even acknowledge the problems exist, much less discuss making changes to fix those problems.

One rather frequent issue with the security of WordPress plugins is that plugins designed to extend WooCommerce, which is has on 4+ millions installs, are not properly restricting access to AJAX accessible functions. Seeing as by default that plugins allows untrusted individuals to create accounts, allowing any one logged in to WordPress to access functionality only intended for high level users is of particular concern. [Read more]

5 Jun 2019

Vulnerability Details: Authenticated Arbitrary File Upload in Crelly Slider

One of the changelog entries for the latest version of Crelly Slider is “Security patch”, which might explain why it was closed on the Plugin Directory on May 31. Looking at changes made in that version we found that capabilities checks and nonce checks (to prevent cross-site request forgery (CSRF)) where added to a number of AJAX accessible functions. The most serious issue that the lack of those checks looks to have allowed is an authenticated arbitrary file upload vulnerability, which is also exploitable through CSRF. Considering that the plugin has 20,000+ installs that might be something that hackers start to try target on websites that allow user registration (if they haven’t already). Since the plugin is still closed, you can’t update the plugin normally, so any customers needing help with that feel to contact us to get assistance.

[Read more]

29 Apr 2019

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in PollDeep

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated arbitrary file upload vulnerability in to the plugin PollDeep.

This vulnerability isn’t all that complicated. The plugin registers the function polldeep_upload_files_to_polldeep() to accessible by anyone logged in to WordPress: [Read more]

31 Jan 2019

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability Being Introduced in to a WordPress Plugin with 300,000+ Installs

With our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities we use software to flag potentially issues (you can check plugins in the same way using our Plugin Security Checker) and then we manually to check over the code. The second part of that can take a substantial amount of time, as while sometimes the code that runs before the potentially vulnerable code is limited and tightly woven, often it isn’t. That was the case with the code that leads to an authenticated arbitrary file upload vulnerability we found had being introduced in the plugin Meta Box, which has 300,000+ installs according to wordpress.org.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community. [Read more]

30 Jan 2019

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Events Made Easy

Yesterday we disclosed an arbitrary file upload related vulnerability discovered through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities for which the underlying vulnerable code ran despite the user interface for it being disabled. That turns out to not be a one-off issue as our proactive monitoring has also led to us finding an authenticated arbitrary file upload vulnerability in the plugin Events Made Easy where the user interface also appears to be missing. This is a good reminder of the limits of trying to look for vulnerabilities without looking at the underlying code of software.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community. [Read more]

2 Jan 2019

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in WP Githuber MD

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a more limited variant of one of the most likely to be exploited types of vulnerabilities as it was being introduced in to a plugin. That being an authenticated arbitrary file upload vulnerability in the plugin WP Githuber MD, which in this case would provide hackers who have access to a WordPress account with at least the Author role with the ability to gain complete control of the website.

This vulnerability is yet another good reason to check plugins you use through our Plugin Security Checker since it can alert you if plugins you use possibly contain a similar issue (and possibly contain a lot of other serious vulnerabilities). The check that flagged this is part of a recent improvement of our detection possible file upload vulnerabilities, so even if you checked the plugins before, you might find they are impacted. From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately. [Read more]