Kubio WordPress Plugin Arbitrary File Upload Vulnerability

A vulnerability allowing arbitrary file uploads has been identified in the Kubio plugin for WordPress, affecting versions through 2.7.2. The issue arises from inadequate capability checks in the 'kubio_rest_pre_insert_import_assets' function, which is applied to the 'rest_pre_insert_{post_type}' filter for posts, pages, templates, and template parts. When a post is created or updated via the REST API, the plugin automatically imports files from external URLs specified in the 'kubio' attribute namespace, using the 'importRemoteFile' method. This process does not verify whether the user has the necessary 'upload_files' capability, enabling authenticated attackers with Contributor-level access or higher to bypass standard media upload restrictions. As a result, they can upload files from external sources to the WordPress media library, creating attachment posts in the database.

Impact

Exploitation of this vulnerability allows for unauthorized file uploads to the WordPress media library, potentially leading to the execution of malicious files or other harmful actions, depending on the nature of the uploaded content.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can create or update a post via the WordPress REST API. During this process, the 'kubio' attribute namespace can be used to specify URLs pointing to files. The 'kubio_rest_pre_insert_import_assets' function will automatically import these files into the media library, without proper authorization checks, effectively bypassing WordPress's default upload restrictions.

Remediation

Users are advised to update the Kubio WordPress plugin to version 2.7.3 or later, where this vulnerability has been patched.