EventPrime WordPress Plugin Unauthenticated File Upload Vulnerability

A vulnerability in the EventPrime plugin for WordPress allows unauthorized users to upload image files to the WordPress uploads directory. This issue affects all versions of the plugin prior to 4.2.8.5. The vulnerability arises because the plugin's upload_file_media AJAX action is publicly accessible without proper authentication, authorization, or nonce verification, despite a nonce being generated. As a result, unauthenticated attackers can upload files and create Media Library attachments via the ep_upload_file_media endpoint.

Impact

Exploitation of this vulnerability allows for unauthorized file uploads, which could be used to upload malicious files that may be executed on the server, depending on the file type and server configuration.

Reproduction

To reproduce this vulnerability, send a request to the ep_upload_file_media endpoint without authentication. Include an image file in the request. The uploaded file will be saved in the WordPress uploads directory, and a corresponding Media Library attachment will be created.

Remediation

Users can update the EventPrime plugin to version 4.2.8.5 or later to address this vulnerability.