Versions less than 3.0R6 of the WordPress plugin Aviary-Image-Editor-Addon-For-Gravity-Forms are vulnerable to arbitrary file upload. Unauthenticated users are able to upload any file type, including executable PHP, to the server.
Exploitation
Stages
- The attacker sends an HTTP POST request with executable PHP file to the path of the vulnerable Aviary Image Editor WordPress plugin on the server.
- The server replies with an HTTP 200 OK and JSON format success message with a path to the uploaded file.
Prerequisites
Attackers can access and exploit the vulnerable PHP file directly and without authentication.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upgrade to a non-vulnerable version to mitigate this vulnerability.
Comments
0 comments
Please sign in to leave a comment.