Make Connector WordPress Plugin Arbitrary File Upload Vulnerability

A vulnerability allowing arbitrary file uploads has been identified in the Make Connector plugin for WordPress, affecting all versions through 1.5.10. The issue arises from improper file type validation in the 'upload_media' function, which is part of the plugin's REST API media upload handling. This flaw enables authenticated attackers with Administrator-level access to upload arbitrary files to the server, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability could allow for arbitrary file uploads, with the potential for uploaded files to be executed on the server, depending on the file type and execution context.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can upload a file through the WordPress REST API media endpoint. The 'upload_media' function will be called without proper validation of the file type, allowing for the upload of potentially malicious files, such as PHP web shells.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and consider a replacement.