As we continue to review old third-party data on hacking attempts to identity more vulnerabilities that hackers have likely already discovered in WordPress plugins we spotted an arbitrary file upload vulnerability in the plugin ecSTATic.

Back in July of last year a request was made for the file/wp-content/plugins/ecstatic/ecstatic_widget_table.css, in what was likely a probe for usage of the plugin before exploiting it. Looking over that plugin for any obvious issues we found that in the current version of the plugin, 0.9933, a file upload capability in the plugin is accessible without being logged, despite only being intended to accessed by users logged in as Administrators. [Read more]