A new vulnerability in the User Submitted Posts WordPress plugin (versions 20230902 and below) has been discovered by the Patchstack team.
With over 20,000 active installations, this popular plugin is used for user-generated content submissions and is developed by Plugin Planet.
The vulnerability, discussed by Patchstack security researcher Rafie Muhammad in an advisory published today, has been assigned CVE-2023-45603.
“This plugin suffers from an unauthenticated arbitrary file upload vulnerability,” Muhammad explained.
The flaw resides in the plugin’s handling of uploaded files, particularly in the “usp_attach_images” function. Unauthenticated users could exploit this vulnerability by uploading files with PHP code embedded, which would then execute on the server, potentially compromising the website’s security.
Read more on WordPress security: WooCommerce Bug Exploited in Targeted WordPress Attacks
In his blog post, Muhammad explained the team discovered the flaw in September 2023 and a patch was issued by Plugin Planet two days later. By October 10 2023, the vulnerability was cataloged in the Patchstack database.
“Since the main problem is allowing arbitrary file name extensions to be uploaded, the vendor decided to add a whitelist check before uploading the file to the server,” reads the technical write-up.
The issue has been addressed in the latest release of the plugin, version 20230914. Users are strongly advised to update their installations immediately to protect their websites from this serious security threat.
“Always check every process of $_FILES parameters in the plugin or theme code,” Muhammad wrote. “Make sure to apply a check on the filename and extension before uploading the file.”
Website owners are also reminded to audit their code for potential vulnerabilities and to maintain a whitelist of allowed file extensions as a precautionary measure against arbitrary file uploads.