The ‘ACF Frontend Display’ plugin is used for generation of custom field values callable via shortcodes in the WordPress platform. The plugin contains a file upload vulnerability whereby an attacker is able to upload arbitrary files via the vulnerable script acf-frontend-display/js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php. This is due to a lack of sanitization or authorization when accepting uploads. No authentication is required for successful exploitation of this vulnerability.
- An attacker makes a form upload request to wp-content/plugins/acf-frontend-display/js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php containing php payload.
- The plugin accepts the upload due to a lack of sanitization or authorization and moves the file to the public location wp-content/uploads/uigen_[CURRENT_YEAR]/[filename].php.
The attacker can exploit the public-facing host running WordPress and WordPress Plugin ACF Frontend Display 2.0.5.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
To mitigate the vulnerability, upgrade to a non-vulnerable version of the plugin.