WP Ultimate CSV Importer plugin also available free on wordpress.org allows direct calling to code that can read files on the filesystem without authorization. The WordPress plugin directory reports there are 10,000+ active installs of this plugin.
This is a very serious issue that allows unprotected read access to any file that the user running php has access to.
templates/readfile.php can be called directly to read any file via directory traversal. You would have to iterate over each line in the file, but that is a trivial task.
On 3/30/2015 a new version was released to fix this issue. Here is the new code.
Unfortunately, that just added a tiny road bump to the issue. Since ‘HTTP_REFERER’ is trivial to set, you just need to do a bit more work to include that as well and it is easily scriptable.
Here is the final fix added. Which does what is essentially the commonly recommended WordPress security practice of not allowing a script to be called directly.
In almost every case there is no reason to allow code to be called directly. If you have the WordPress tools available to you then you should use them. Something like current_user_can() and a nonce should always be used.
Timeline
- 3/26/2015 12:30am Sent inital contact to vendor
- 3/26/2015 4:16am Email received from “Sales” requesting more info
- 3/26/2015 8:49am Vulnerability information sent to vendor
- 3/26/2015 9:15am Vendor says information forwareded to developer
- 3/30/2015 9:38am Vendor notified that the issue is resolved in version 3.6.78
- 4/14/2015 10:20am In preperation to post, determined that their fix was insufficient. Re-contact vendor
- 4/16/2015 7:42am Re-contact vendor to check status
- 4/16/2015 9:14pm Vendor replied saying they are working on it and would follow up when resolved (they never did)
- 4/20/2015 Version 3.7.1 released