Login

Tag Archives: Restricted File Upload

2 Feb 2022

Our Proactive Monitoring Caught a Restricted File Upload Vulnerability Being Introduced in to a WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of those vulnerabilities, a restricted file upload vulnerability being introduced in to the plugin Sitemap by click5.

We now are also running all the plugins used by customers through that on a weekly basis to provide additional protection for our customers. [Read more]

30 Jul 2019

Our Proactive Monitoring Caught a Restricted File Upload Vulnerability in The Brand New WordPress Plugin GA Top Posts

One of the ways we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a restricted file upload vulnerability in the brand new plugin GA Top Posts.

The plugin registers the function ga_save_settings() to be accessible through WordPress AJAX functionality to those logged in to WordPress as well as those not logged in: [Read more]

1 Jul 2019

Vulnerability Details: Arbitrary File Upload in Insert or Embed Articulate Content into WordPress

One area where WordPress plugins need to be very careful when it comes to security is handling file uploads. The plugin Insert or Embed Articulate Content into WordPress hasn’t been doing that and it seems the developer doesn’t have the capability to handle that.

[Read more]

22 Mar 2019

Our Proactive Monitoring Caught a Restricted File Upload Vulnerability in Sooqr Search

Much like what we found with the plugin the plugin Analytics-Gtag earlier this week, our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities has caught a restricted file upload in the plugin Sooqr Search, which could most obviously be used to cause persistent cross-site scripting (XSS) since it allows arbitrary content to be written to a JavaScript file. It also could, say, be combined with a local file inclusion (LFI) vulnerability, to cause arbitrary code to be executed.

The plugin registers the function sooqr_save_javascript() to run during admin_init: [Read more]

20 Mar 2019

Our Proactive Monitoring Caught a Restricted File Upload Vulnerability Being Added to Analytics-Gtag

When it comes to our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities usually the code getting flagged by that is deep inside of other code, so confirming there is a vulnerability requires a bit of work. That wasn’t the case with the code added to the latest version of the plugin Analytics-Gtag that creates a restricted file upload vulnerability, which could most obviously be used to cause persistent cross-site scripting (XSS) since it allows arbitrary content to be written to a JavaScript file. It also could, say, be combined with a local file inclusion (LFI) vulnerability, to cause arbitrary code to be executed.

The new version of the plugin adds a file named creator.php, which will take the value of the GET input “param4”: [Read more]

4 Feb 2019

Our Proactive Monitoring Caught a Restricted File Upload Vulnerability in Accessibility Suite by Online ADA 

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a restricted file upload vulnerability in the plugin Accessibility Suite by Online ADA that would allow an attacker to write arbitrary content to file on the website. The file has a .png extension, so the vulnerability could be directly used to upload image the attacker wanted, it could also be combined with a local file inclusion (LFI) vulnerability to cause arbitrary code to run on the website.

Since our Plugin Security Checker checks for the same type of code, it will alert you if plugins you use possibly contain the same type vulnerable code (and possibly contain more serious vulnerable code). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately. [Read more]

11 Dec 2018

Vulnerability Details: Restricted File Upload in Woocommerce Pay.nl Payment Methods

In a nasty reminder of why it is a good idea for plugin developers to pair to only the files they need from third party libraries, our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins spotted a possible security issue in code being removed from the plugin Woocommerce Pay.nl Payment Methods and what we found was that for 22 months the plugin had several serious security issues due to a test file from the library PHP Curl Class. One of those being a restricted file upload vulnerability. We are in the process of contacting the developer of the library about this.

[Read more]

4 Oct 2018

Our Proactive Monitoring Caught a Restricted File Upload Vulnerability in VendorFuel

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited. While we have a number of automated checks that are used to try to spot the possibility of those, most of the vulnerabilities found so far have come from only two of those. Recently though another one of those caught a vulnerability in the plugin VendorFuel that allows anyone to rewrite the contents of a .css file that is part of the plugin.

The code that causes that is at the beginning of the file /admin-pages/styling.php: [Read more]

20 Dec 2017

Vulnerability Details: Restricted File Upload Vulnerability in Gallery by BestWebSoft

While looking into what hackers might be targeting plugin Sharexy, we took a look at what appeared to be related request to see if a file that previously had existed in the plugin Gallery by BestWebSoft was on our website. The file requested was /wp-content/plugins/gallery-plugin/upload/php.php, which has been claimed to have an arbitrary file upload vulnerability as of version 3.06. Though at least by our definition that isn’t true because the extension of the files that could be uploaded through that file is limited.

The file /upload/php.php defines what extension uploaded files can have with the following line: [Read more]