The WordPress plugin called ‘Cherry Plugin’ has a vulnerability which enables an attacker to upload files directly to the server. These files may then be executed by the attacker remotely to execute code or carry out other malicious activities.
- The attacker sends a POST request to ‘wp-content/plugins/cherry-plugin/admin/import-export/upload.php’.
- The attacker can access the file at ‘wp-content/plugins/cherry-plugin/admin/import-export/<malicious file>’.
No prior authentication is needed to create a successful exploit
There is an arbitrary file upload in the Wordpress plugin called ‘Cherry Plugin’. The vulnerability is caused by the lack of input validation and access control in the file’s ‘upload.php’. An unauthenticated user can make a request to upload.php, uploading an arbitrary file to the server. From here, the attacker could compromise the confidentiality, integrity, and availability of the server.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upon discovery of a successful exploit, customers are expected to take normal reasonable action in accordance with their own standard operating procedure, such as:
- Isolate the compromised device from the network
- Wipe and reinstall the device from secure media
- Patch the vulnerability from a trusted source (or otherwise mitigate with FW, config, etc.)
- Replace data from backups
- Test the device
- Return the compromised device to the network and full operation