Back in June and July we ran into an odd situation where there was supposed to have been a vulnerability fixed in the plugin WP Job Manager, but what is supposed to be the issue was still possible with the plugin. That supposed issue involved some form of abuse of the plugin’s image upload capability, but the change made simply restricted uploading images through WordPress’ AJAX functionality when not logged in to WordPress, but by default those not already with WordPress accounts on the website can still upload images files. The developer’s explanation for the action they took doesn’t really make sense, but out of this it did provide an indication that people with bad intentions will abuse the ability to upload image files. That capability to upload image files could also be used in conjunction with a local file inclusion (LFI) vulnerability, so making sure that those that are not intended to upload image files can’t upload them is a good idea.
All that brings us to the plugin Social Articles, which came on to our radar because code in it was noticed during our proactive monitoring of changes made to plugins to try to catch serious vulnerabilities. That picked up the possibility that there was an arbitrary file upload vulnerability in the plugin. When we went to look into that we found the plugin’s code would restrict files that could be uploaded to ones that had one of the following image extensions: gif, jpeg, jpg, or png. So there wasn’t an arbitrary file upload vulnerability, but in looking in to that we found that the plugin was allowing people not intended to upload files to do that. [Read more]