WordPress File Upload <= 3.4.0 - Unauthenticated Malicious File Upload



Description
The WordPress plugin wp-file-upload does not adequately check the filetype before allowing it to be uploaded. It also uploaded files with execute permissions, allowing malicious payloads to be uploaded.
Proof of Concept
1. Install wp-file-upload on a WordPress site and activate it.
2. Create an upload form on a page.
3. Create a file named payload.php.....jpg with the contents
<?php
echo "You got pwnd";

4. Use the form you created to upload this payload
5. Navigate to /wp-content/uploads/payload.php.....jpg and see "You got pwnd" printed.

Affects Plugin

fixed in version 3.4.1

References

CVE 2015-9341
URL https://wordpress.org/plugins/wp-file-upload

Classification

Type UPLOAD
CWE CWE-434

Miscellaneous

Submitter Garth Mortensen
Submitter Website http://www.garthmortensen.com/
Submitter Twitter garth_mortensen
Views 4892
Verified No
WPVDB ID 8226

Timeline

Publicly Published 2015-10-29 (over 4 years ago)
Added 2015-11-09 (over 4 years ago)
Last Updated 2019-11-28 (7 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin