WordPress arbitrary file upload and download

Uploaded files present a huge risk in the server. The uploaded files can be malicious and can cause damage to the server with sensitive data breach. It could also give complete access to the attacker. When an attacker wants to attack a web application. He will try different methods to upload his malicious file. After a successful upload, he will finds different ways to execute the file. A server that allows multiple themes for WordPress will fail to sanitize user supplied input. This will result in vulnerability that lets attackers upload and download any files. This might give unauthorized access or privilege escalation.

Impact

The impact of this vulnerability include:-

  • Complete system takeover
  • Overloaded file system
  • Overloaded database
  • Forwarding attacks to back-end systems
  • Client-side attacks
  • Simple defacement.

Mitigation / Precaution

Latest Articles