WordPress Plugins Vulnerable to Unrestricted File Upload via Arbitrary Plugin Installation

A vulnerability allowing unrestricted upload of files with dangerous types has been identified in multiple WordPress plugins that utilize the Jewel Theme Recommended Plugins Library. This issue affects all versions up to and including 1.0.2.3. The vulnerability arises from missing capability checks in the '_recommended_upgrade_plugin' function, which permits the installation of arbitrary plugin URLs. As a result, authenticated attackers with subscriber-level access or higher can upload arbitrary plugin packages to the server of the affected site via a manipulated plugin URL. This could potentially lead to remote code execution.

Impact

Exploitation of this vulnerability could allow authenticated attackers to upload malicious plugins that could be activated to execute arbitrary code on the server.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can send a request to the '_recommended_upgrade_plugin' function with a crafted plugin URL pointing to a malicious plugin package. The absence of proper capability checks allows the unauthorized installation of the plugin, which can then be activated to execute any embedded malicious code.

Remediation

Users are advised to update to version 1.0.2.4 or a newer patched version.