WordPress File Upload <= 3.4.0 - Unauthenticated Malicious File Upload

Sign up to our free email alerts service for instant vulnerability notifications!

Description
The WordPress plugin wp-file-upload does not adequately check the filetype before allowing it to be uploaded. It also uploaded files with execute permissions, allowing malicious payloads to be uploaded.
Proof of Concept
1. Install wp-file-upload on a WordPress site and activate it.
2. Create an upload form on a page.
3. Create a file named payload.php.....jpg with the contents
<?php
echo "You got pwnd";

4. Use the form you created to upload this payload
5. Navigate to /wp-content/uploads/payload.php.....jpg and see "You got pwnd" printed.

Affects

Plugin wp-file-upload
fixed in version 3.4.1

References

URL https://wordpress.org/plugins/wp-file-upload

Classification

Type UPLOAD
CWE CWE-434

Miscellaneous

Submitter Garth Mortensen
Submitter Website http://www.garthmortensen.com/
Submitter Twitter garth_mortensen
Views 535
Verified No
WPVDB ID 8226

Timeline

Publicly Published 2015-10-29 (about 1 year ago)
Added 2015-11-09 (about 1 year ago)
Last Updated 2015-11-09 (about 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.