WordPress Responsive Thumbnail Slider Arbitrary File Upload Vulnerability

A vulnerability allowing arbitrary file uploads has been identified in the WordPress Responsive Thumbnail Slider plugin, specifically in versions prior to 1.0.1. This issue arises from inadequate sanitization of file types in the image uploader, enabling authenticated attackers with subscriber-level access or higher to upload arbitrary files to the server. Exploitation is possible by using a double file extension to bypass restrictions, potentially leading to remote code execution.

Impact

Successful exploitation allows for arbitrary file uploads, which can be used to upload malicious scripts that may be executed on the server, potentially leading to a full compromise of the affected site.

Reproduction

To reproduce this vulnerability, log into a WordPress site with an account that has subscriber-level access or higher. Navigate to the 'Add Image' section of the Responsive Thumbnail Slider plugin. Upload a file using the plugin's image uploader, ensuring to use a double extension that could be interpreted as a valid image file. After uploading, use a tool like Burp Suite to intercept the request and change the file name from 'Shell.php.jpg' to 'Shell.php' before finalizing the upload. Once uploaded, the file can be accessed and executed on the server.

Remediation

Users are advised to update the WordPress Responsive Thumbnail Slider plugin to version 1.0.1 or later.