Hot Random Image WordPress Plugin Path Traversal Vulnerability

A path traversal vulnerability has been identified in the Hot Random Image plugin for WordPress, affecting all versions through 1.9.2. This vulnerability allows authenticated attackers with Contributor-level access and above to access arbitrary images with permitted extensions, outside of the intended directory. The issue arises via the 'path' parameter, which does not properly validate user input, enabling access to files outside the designated folder.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive images stored on the server, potentially including private or proprietary content.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can send a request to the WordPress site with the 'path' parameter modified to include a directory traversal sequence. This request can be made through a shortcode or a block that uses the 'randomimage' path attribute. The plugin will then return a randomly selected image from the specified path, bypassing the intended directory restrictions.

Remediation

Users are advised to update the Hot Random Image plugin to version 1.9.3 or later.