National Vulnerability Database published a vulnerability advisory about the ShortPixel Enable Media Replace WordPress plugin used by over 600,000 websites. A high severity vulnerability was discovered that could allow an attacker to upload arbitrary files.
The United States Vulnerability Database (NVD) assigned the vulnerability a score of 8.8 out of 10, with 10 being the highest severity.
Enable Media Replace Plugin Vulnerability
Ordinarily one cannot upload an image with the same file name to update an existing image.
The Enable Media Replace Plugin by ShortPixel enables users to easily update images without having to delete the old image and then upload the updated version with the same file name.
Security researchers discovered that users with publishing privileges can upload arbitrary files, including PHP Shells, also known as backdoors.
A plugin that allows uploads (form submissions) ideally checks that the file conforms to what is supposed to be uploaded.
But according to the security warning at NVD, apparently that’s not happening when users upload image files.
The National Vulnerability Database published this description:
“The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.”
This type of vulnerability is classified as: Unrestricted Upload of File with Dangerous Type.
What that means is that anyone with author privileges can upload a PHP script that can then be executed remotely by an attacker, since there are no restrictions on what can be uploaded.
A PHP Shell is a tool that allows a website administrator to connect with the server remotely and do things like perform maintenance, upgrades, manipulate files and use command line programs.
That’s a scary amount of access for a hacker to gain, which may explain why this vulnerability is rated High, with a score of 8.8.
This kind of access is also referred to as a backdoor.
A GitHub backdoor list describes this kind of exploit:
“Hackers usually take advantage of an upload panel designed for uploading images onto sites.
This is usually found once the hacker has logged in as the admin of the site.
Shells can also be uploaded via exploits or remote file inclusion, or a virus on the computer.”
ShortPixel has issued a patch for the vulnerability. The fix is documented in the official changelog located in the WordPress repository for the plugin.
Enable Media Replace plugin by ShortPixel that are less than version 4.0.2 are vulnerable.
Plugin users may want to consider updating to at least version 4.0.2.
Read the official NVD advisory for the vulnerability:
Featured image by Shutterstock/Asier Romero