WordPress FoxyPress Plugin Uploadify.php Arbitrary File Upload Vulnerability

A vulnerability allowing arbitrary file uploads has been identified in the FoxyPress plugin for WordPress, specifically in versions through 0.4.2.1. The issue arises from inadequate file type validation in the uploadify.php file, enabling unauthenticated attackers to upload arbitrary files to the affected site's server. This vulnerability could potentially lead to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which could be used to execute malicious code on the server, depending on the uploaded file's nature and how it's handled by the server.

Reproduction

The vulnerability can be reproduced by sending a POST request to 'wp-content/plugins/foxypress/uploadify/uploadify.php' without proper file type validation. The request must include a file disguised as a different type, such as a PHP file, to exploit the vulnerability.

Remediation

Users are advised to update the FoxyPress plugin to version 0.4.2.2 or a newer patched version.