Arbitrary File Upload
Advanced Custom Fields and Advanced Custom Fields Pro have 2+ million installs according to wordpress.org. Versions older than 5.12.3 allow unauthenticated users to upload arbitrary files if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.
Fortunately by default WordPress does not allow uploading of .php files so this vulnerability is not easily wormable, but there are many other file types that can be uploaded that can be then used with another exploit to execute code or used in a phishing attack to get a user to download and execute a resource from a “trusted” site.
No exploit code is being released at this time.
- 7/11/2022 Contacted developer
- 7/12/2022 Disclosed vulnerability
- 7/13/2022 Patch received from developer for testing
- 7/14/2022 Fix deployed to GitHub and pushed to wordpress.org plugin repository
Elementor Page Builder versions less than 1.8 contain a major security issue that allows logged in users (not just admin) unrestricted access to the Elementor specific backend functions. This allows unrestricted importing/exporting of content and potentially complete site compromise. The WordPress.org repository claims there are over 300,000 active installations.
If you are running an older version, upgrade immediately. The Elementor team did not appear to be planning any disclosure or notification and the only indication in the changelog of any potential issues is “Fix! – Patched nonce validation for all library actions” along with additional nonce related fixes over the next few days to deal with bugs related to this patching.
Due to the large number of installs I will not describe the exact steps to exploit these methods. Many of the AJAX actions are accessible to any logged in user. Some of the actions are protected with the ‘elementor-editing’ nonce, unfortunately that was leaked to any logged in user via the WordPress heartbeat.
- 10/17/2017 Sent initial contact inquiry
- 10/18/2017 Received response and disclosure sent
- 10/26/2017 Followup message sent to check status
- 11/7/2017 Version 1.8.0 released
Ultimate Member versions less than 1.3.76 contain a critical security issue that allows unauthenticated users to reset any users password to an arbitrary value. This could allow an external attacker to take over an Administrator account and completely compromise the WordPress website. The WordPress.org repository claims there are 40,000+ active installs of this plugin, though there is no way of knowing how many are running vulnerable versions.
If you are running an older version, upgrade immediately. This flaw exists as far back as 1.0.0, which was the initial release of the plugin. The change log for the plugin doesn’t mention the specific flaw and
at this time I have not seen an announcement from the Ultimate Member developer. On December 8th, the developer published a blog post and a twitter post regarding the issue.
Due to the severity of this vulnerability, I will not provide specific details of the vulnerability at this time.
- 11/22/2016 12:00pm Sent vulnerability information to vendor
- 11/23/2016 3:40am Vendor replied saying issue was resolved with github commit b66c99b
- 11/23/2016 8:45am Sent followup to vendor explaining additional vulnerability
- 11/28/2016 4:52am Received vendor response saying additional fix was added with github commit c54e8d3
- 11/28/2016 Ultimate Member version 1.3.76 released