Compress & Upload WordPress Plugin Arbitrary File Upload Vulnerability

A vulnerability exists in the Compress & Upload WordPress plugin in versions prior to 1.0.5, where the plugin fails to properly validate uploaded files. This flaw allows high-privilege users, such as administrators, to upload arbitrary files to the server, even in situations where such actions should be restricted, like in a multisite setup.

Impact

Exploitation of this vulnerability could lead to unauthorized file uploads, potentially allowing for the execution of malicious scripts or code on the server.

Reproduction

To reproduce this vulnerability, upload a regular image file through the WordPress Admin Panel. While the upload is in progress, intercept the request with Burp Suite. Modify the request to change the filename to 'evil.php' and replace the file content with PHP web shell code, ensuring the Content-Type remains as 'image/jpeg' to bypass MIME-type checks. Forward the modified request. If successful, the PHP file will be saved in the uploads directory, where it can be accessed and executed.

Remediation

Users are advised to update the Compress & Upload WordPress plugin to version 1.0.5 or later.