Pie Forms for WP Arbitrary File Upload Vulnerability Allowing Remote Code Execution

A vulnerability allowing arbitrary file upload has been identified in the Pie Forms for WP WordPress plugin, affecting all versions through 1.6. The issue arises in the 'format_classic' function, where the 'validate_classic' method fails to properly restrict file types. While it validates file extensions and generates error messages, it does not halt the upload process. This oversight enables unauthenticated attackers to upload files with potentially harmful extensions, such as PHP, which could be exploited for remote code execution. To successfully exploit this vulnerability, an attacker must guess the upload directory, which is based on a predictable hash, and note that the uploaded file's name is also hashed securely, adding a layer of complexity to the exploitation.

Impact

Successful exploitation allows for arbitrary file upload, with the potential for uploaded files to be executed if they are placed in a directory that allows for such actions, such as one that is web-accessible and executes PHP files.

Reproduction

The vulnerability can be reproduced by uploading a file through the Pie Forms for WP plugin's file upload field. The 'validate_classic' method will allow the upload to proceed even if a disallowed file extension is used, such as PHP. Once the file is uploaded, it can be accessed and executed if placed in a suitable directory.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and consider a replacement.