WordPress Plugin HS Brand Logo Slider Unrestricted File Upload Vulnerability Allowing Remote Code Execution

A vulnerability allowing unrestricted file upload has been identified in the WordPress plugin HS Brand Logo Slider, version 2.1. This vulnerability allows authenticated users to bypass client-side file extension validation and upload arbitrary files. Exploitation involves intercepting upload requests to the 'logoupload' parameter in the admin interface and renaming files to executable extensions, such as .php, to achieve remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the vulnerable WordPress site is hosted.

Reproduction

To reproduce this vulnerability, log into a WordPress account with access to the admin interface. Navigate to the HS Brand Logo Slider plugin. Start the file upload process but intercept the request using a tool like Burp Suite. Rename the uploaded file from a non-executable extension, such as .jpg, to an executable one, like .php, before completing the upload. Once the file is uploaded, it can be accessed via the file path shown in the upload table, allowing for the execution of commands through the uploaded file.