The WordPress plugin ZoomSounds creates and manages audio players with optional playlists. Versions <2.0 of the plugin are vulnerable to the upload of executable PHP. The vulnerable file admin/upload.php disallows the upload of the php file extension, but can be bypassed using the phtml extension.
- The attacker sends an HTTP POST to upload executable PHP file (.phtml) to the vulnerable ZoomSounds WordPress plugin.
- The server responds with HTTP 200 OK and a success message.
The attacker can access the upload functionality directly and without authentication.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
To mitigate the vulnerability, upgrade to a non-vulnerable version of the plugin.