WordPress arbitrary file upload and download

OWASP 2013-A1 OWASP 2017-A1 OWASP 2021-A3 PCI v3.2-6.5.1 CWE-434 WSTG-CONF-03

Uploaded files present a huge risk in the server. The uploaded files can be malicious and can cause damage to the server with sensitive data breach. It could also give complete access to the attacker. When an attacker wants to attack a web application. He will try different methods to upload his malicious file. After a successful upload, he will finds different ways to execute the file. A server that allows multiple themes for WordPress will fail to sanitize user supplied input. This will result in vulnerability that lets attackers upload and download any files. This might give unauthorized access or privilege escalation.


The impact of this vulnerability include:-

  • Complete system takeover
  • Overloaded file system
  • Overloaded database
  • Forwarding attacks to back-end systems
  • Client-side attacks
  • Simple defacement.

Mitigation / Precaution

Latest Articles