An arbitrary file upload vulnerability exists in the upload.php script used in the WordPress plugin 1 Flash gallery. This vulnerability is present in versions 1.3.0 to 1.5.7.a. An attacker is able to upload arbitrary PHP code via crafted requests, potentially resulting in PHP code execution on the target host. No authentication is required for successful exploitation of this vulnerability.
- The attacker sends an HTTP POST request to upload.php with a malicious PHP upload contained in the POST body.
- The injected payload is processed by the target host and outputted to the plugin-specific uploads directory.
The attacker takes advantage of a vulnerable plugin version and WordPress installation whereby the webserver has read/write permissions to the specific uploads directory.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
To mitigate the vulnerability, upgrade to a non-vulnerable version of the plugin.