Magic Fields

31 May 2016

Authenticated Arbitrary File Upload Vulnerability in Magic Fields

In our previous post about an old arbitrary file upload vulnerability in Magic Fields, we mentioned from reviewing that, that we then noticed that another vulnerability existed.

To recap, in version 1.5.6 of Magic Fields code was added to the file/RCCWP_upload_ajax.php that checked if you were logged in and able at least edit posts, which is capability available to Contributor level users and above, before allowing arbitrary files to be uploaded through the file: [Read more]

31 May 2016

Old Vulnerability Report: Arbitrary File Upload in Magic Fields

One of the things that we do to keep track of the plugin vulnerabilities out there is to monitor hacking attempts on our websites. That sometimes leads us to finding what looks to be exploitation of vulnerabilities that a hacker has just discovered. In other cases it shows really old vulnerabilities that hackers are still trying to exploit. We have recently had some requests for a file from the plugin Magic Fields:

/wp-content/plugins/magic-fields/MF_Constant.php [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Magic Fields

Authenticated Arbitrary File Upload Vulnerability in Magic Fields

Old Vulnerability Report: Arbitrary File Upload in Magic Fields