Vulnerability Exposed in WordPress Plugin User Submitted Posts

A new vulnerability in the User Submitted Posts WordPress plugin (versions 20230902 and below) has been discovered by the Patchstack team.

With over 20,000 active installations, this popular plugin is used for user-generated content submissions and is developed by Plugin Planet.

The vulnerability, discussed by Patchstack security researcher Rafie Muhammad in an advisory published today, has been assigned CVE-2023-45603.

“This plugin suffers from an unauthenticated arbitrary file upload vulnerability,” Muhammad explained.

The flaw resides in the plugin’s handling of uploaded files, particularly in the “usp_attach_images” function. Unauthenticated users could exploit this vulnerability by uploading files with PHP code embedded, which would then execute on the server, potentially compromising the website’s security.

Read more on WordPress security: WooCommerce Bug Exploited in Targeted WordPress Attacks

In his blog post, Muhammad explained the team discovered the flaw in September 2023 and a patch was issued by Plugin Planet two days later. By October 10 2023, the vulnerability was cataloged in the Patchstack database.

“Since the main problem is allowing arbitrary file name extensions to be uploaded, the vendor decided to add a whitelist check before uploading the file to the server,” reads the technical write-up.

The issue has been addressed in the latest release of the plugin, version 20230914. Users are strongly advised to update their installations immediately to protect their websites from this serious security threat.

“Always check every process of $_FILES parameters in the plugin or theme code,” Muhammad wrote. “Make sure to apply a check on the filename and extension before uploading the file.”

Website owners are also reminded to audit their code for potential vulnerabilities and to maintain a whitelist of allowed file extensions as a precautionary measure against arbitrary file uploads.

Next Post

iPhone 14 Pro Max the best-selling smartphone in early 2023

Wed Dec 6 , 2023
iPhone 14 Pro Max The iPhone 14 Pro Max is the most-shipped smartphone in the world for the first half of 2023, a report claims, with iPhones occupying half of the top ten spots for the period. The iPhone has always been a popular device, with the main non-Pro […]
iPhone 14 Pro Max the best-selling smartphone in early 2023

You May Like

About

muryou-erogazou.net provide by The top global media Technology, Gadget, Website, SEO, Internet Marketing,Digital marketing.