• 0

arbitrary file upload :: is this a vulnerability in WordPress



hello dear community, 

topic today: arbitrary file upload :: is this a vulnerability in WordPress

just recognized some folders in a freshly wordpress-installation 

see the following: 




NOTE. THE SITE WAS INSTALLED freshliy IN summer 2019 
i have had no installation before.. 
so what happend here ...!?`

btw found some interesting reading on the net

well that looks interesting Arbitrary file upload vulnerability in WordPress User Submitted Posts .... curl http://example.com/wp-content/uploads/2019/04/script.php.gif ...</blockquote>https://www.pluginvulnerabilities.com/2018/01/29/arbitrary-file-upload-vulnerability-in-wordpress-forms/



The function that handles that, process_submition(), will save submitted files to the directory for the current year/month in the directory /wp-content/uploads/ with the following code:

$upload_dir = wp_upload_dir();
move_uploaded_file( $_FILES[$key]['tmp_name'], $upload_dir['path'] . '/' . $_FILES[$key]['name'] );
The code does try to restrict .php files from being uploaded with the following code:

if ( $_FILES[$key]['type'] == 'application/octet-stream' or $_FILES[$key]['type'] == 'application/x-httpd-php' )
    wp_die( "Error: For security reasons you can't upload application files!" );
That code isn’t effective because the “type” value it checks is user specified, so a .php file could be uploaded with the type specified as something else and it will pass that check.

While this type of vulnerability is fairly likely to be exploited if hackers are aware of it, in the case of the website we were cleaning, the plugin was deactivated, so the vulnerability could not have been exploited.


question - is this anything serious that i have found!? 

Link to post
Share on other sites

2 answers to this question

Recommended Posts

  • 0
NJ Louch

They are legacy.  It's not an issue.

Link to post
Share on other sites
  • 0



Is there a patch or update you can apply to mitigate the issue?


Aryeh Goretsky

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.