Greenshift WordPress Plugin Arbitrary File Upload Vulnerability Allowing Remote Code Execution

A vulnerability allowing arbitrary file uploads has been identified in the Greenshift animation and page builder blocks plugin for WordPress. This issue arises from inadequate file type validation in the 'gspb_make_proxy_api_request' function, affecting versions 11.4 to 11.4.5. The vulnerability allows authenticated attackers with Subscriber-level access and above to upload arbitrary files to the server, potentially leading to remote code execution. While the arbitrary file upload vulnerability was patched in version 11.4.5, a capability check to prevent unauthorized limited file uploads was only introduced in version 11.4.6.

Impact

Exploitation of this vulnerability could allow for arbitrary file uploads, with the potential for uploaded files to be executed as code, depending on the file type and execution context.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can upload files through the WordPress REST API. The 'gspb_make_proxy_api_request' function can be targeted by sending a POST request to the 'greenshift/v1/proxy-api/' endpoint, including the file in the request. The absence of proper file type validation allows for the upload of potentially malicious files.

Remediation

Users are advised to update the Greenshift WordPress plugin to version 11.4.6 or later.