AP Background WordPress Plugin Arbitrary File Upload Vulnerability
Vulnerability
A vulnerability allowing arbitrary file uploads has been identified in the AP Background plugin for WordPress, specifically in versions 3.8.1 to 3.8.2. This issue arises from missing authorization and inadequate file validation in the 'advParallaxBackAdminSaveSlider' function. As a result, authenticated attackers with Subscriber-level access or higher can upload arbitrary files to the server, potentially leading to remote code execution.
Impact
Exploitation of this vulnerability could allow for arbitrary file uploads, which may be used to execute malicious code on the server.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can use the 'advParallaxBackAdminSaveSlider' function to upload files. The absence of proper authorization checks and file validation in this function creates an opportunity for unauthorized file uploads.
Remediation
No known patch is available for this vulnerability. It is recommended to uninstall the affected plugin and find a replacement.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.