There exists an arbitrary file upload vulnerability in versions 1.13->1.8 of the ‘i-dump-iphone-to-wordpress-photo-uploader’ plugin for WordPress. The vulnerability exists due to the upload functionality making no attempt to validate, filter, or otherwise control what content is uploaded. The plugin does have the option to require a username and password for users who wish to upload, however these users would still be able to upload potentially malicious file types to the server without any validation.
Exploitation
Stages
- The attacker sends an upload request to the vulnerable WordPress instance containing a PHP script.
- The server responds with a ‘500’ response code and the upload form in the response body.
- The attacker requests the uploaded file, using one or more predicted timestamp values, resulting in execution of the script.
Prerequisites
The attacker must be able to send crafted packets to the target system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
The plugin in question is no longer available for download and was last updated five years ago, with version 1.8 representing the most recent release. The plugin should be removed and an actively maintained plugin providing equivalent functionality sourced. If removal is not immediately possible, virtual patching should be implemented to limit the risk of compromise while an alternative solution is found.
Comments
0 comments
Please sign in to leave a comment.