There exists an authenticated arbitrary file upload vulnerability in versions <= 1.0 of the WordPress responsive thumbnail slider plugin. The vulnerability exists due to a lack of user input validation relating to the plugins image upload functionality. Attackers with access to admin credentials can exploit the vulnerability to achieve remote code execution on target web servers.
- An authenticated upload request is made containing malicious PHP code.
- The server responds with a ‘200’ status code containing a ‘wp-settings-2’ cookie.
- The uploaded file is requested using the hashed cookie value to achieve Remote Code Execution.
This exploit requires access to admin credentials for the WordPress installation. Admin credentials can be acquired in the following ways:
- Brute force attacks using dictionaries of leaked passwords
- Stolen credentials as a result of other targeted attacks
- Cross Site Request Forgery may be possible due to the lack of obvious nonce values in the upload request
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
The plugin should be updated to the latest version in which the vulnerable upload logic has been removed and substituted with more robust WordPress functionality.
Due to the authenticated nature of the vulnerability, due diligence should be taken to secure the WordPress accounts associated with the installation.