A security vulnerability has been identified in the User Submitted Posts WordPress plugin [2], specifically in versions 20230902 and earlier. This vulnerability allows unauthorized users to upload arbitrary files [1] [2], including phtml files [1], which can lead to remote code execution [1].
Description
The flaw resides in the uspattachimages function of the plugin, which is called from the uspcreatePublicSubmission function [1]. The uspcheckimages function is responsible for validating uploaded image files [1]. However, the filename check can be bypassed by uploading a valid image file with an added PHP script payload and using phtml as the file extension [1]. Although there is a condition that checks the file type using the wpcheck_filetype function [1], a race condition technique can be utilized to trigger the code execution [1].
This vulnerability has been assigned CVE-2023-45603. Plugin Planet has addressed this issue by releasing a patch in version 20230914 of the plugin. It is highly recommended that users update their installations immediately. Additionally, website owners should conduct a thorough code audit to identify any potential vulnerabilities and maintain a whitelist of allowed file extensions to prevent arbitrary file uploads.
Conclusion
The discovery of this security vulnerability highlights the importance of regularly updating software and conducting code audits to ensure the security of websites. By promptly applying the patch provided by Plugin Planet, users can mitigate the risk of remote code execution. Going forward, it is crucial for website owners to maintain a proactive approach to security, including implementing measures such as whitelisting allowed file extensions, to prevent similar vulnerabilities from being exploited.
References
[1] https://patchstack.com/articles/pre-auth-arbitrary-file-upload-in-user-submitted-posts-plugin/
[2] https://www.infosecurity-magazine.com/news/wp-plugin-user-submitted-posts/
