Follow

06/19/17: WordPress (CMS) Cherry-Plugin Arbitrary File Upload RCE | Security Bulletin

In This Article

Threat Summary

Overview

The WordPress plugin called ‘Cherry Plugin’ has a vulnerability which enables an attacker to upload files directly to the server. These files may then be executed by the attacker remotely to execute code or carry out other malicious activities.

Exploitation

Stages

  1. The attacker sends a POST request to ‘wp-content/plugins/cherry-plugin/admin/import-export/upload.php’.
  2. The attacker can access the file at ‘wp-content/plugins/cherry-plugin/admin/import-export/<malicious file>’.

Prerequisites

No prior authentication is needed to create a successful exploit

Vulnerability Description

There is an arbitrary file upload in the Wordpress plugin called ‘Cherry Plugin’. The vulnerability is caused by the lack of input validation and access control in the file’s ‘upload.php’. An unauthenticated user can make a request to upload.php, uploading an arbitrary file to the server. From here, the attacker could compromise the confidentiality, integrity, and availability of the server.

Back to top

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.

Back to top

Recommendations for Mitigation

Upon discovery of a successful exploit, customers are expected to take normal reasonable action in accordance with their own standard operating procedure, such as:

  • Isolate the compromised device from the network
  • Wipe and reinstall the device from secure media
  • Patch the vulnerability from a trusted source (or otherwise mitigate with FW, config, etc.)
  • Replace data from backups
  • Test the device
  • Return the compromised device to the network and full operation

 

 Back to top

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.