On November 20th, while auditing a hacked WordPress website, we identified a critical vulnerability in the Delete All Comments WordPress plugin v2.0, which has over 30,000 active installations. Because a part of the delete-all-comments.php main script is not restricted to the administrator, any unauthenticated user can upload a remote PHP script into the /plugins/delete-all-comments/backup/ folder: ``` 14 if(isset($_POST['restorefromfileNAME']) || isset($_POST['restorefromfileURL'])) 15 { 16 17 if(!file_exists(dirname(__file__)."/backup/".$_POST['restorefromfileNAME'])) 18 { 19 $fileUrl=$_POST['restorefromfileNAME']; 20 $fileName=$fileUrl; 21 $extension=explode(".",$fileUrl); 22 file_put_contents(dirname(__file__)."/backup/$fileName",file_get_contents($_POST['restorefromfileURL'])); 23 file_put_contents(dirname(__file__)."/content.log","working"); ``` An attacker can assign the destination file name to the $_POST['restorefromfileNAME'] variable and the remote file to download to...
On November 20th, while auditing a hacked WordPress website, we identified a critical vulnerability in the Delete All Comments WordPress plugin v2.0, which has over 30,000 active installations. Because a part of the delete-all-comments.php main script is not restricted to the administrator, any unauthenticated user can upload a remote PHP script into the /plugins/delete-all-comments/backup/ folder: ``` 14 if(isset($_POST['restorefromfileNAME']) || isset($_POST['restorefromfileURL'])) 15 { 16 17 if(!file_exists(dirname(__file__)."/backup/".$_POST['restorefromfileNAME'])) 18 { 19 $fileUrl=$_POST['restorefromfileNAME']; 20 $fileName=$fileUrl; 21 $extension=explode(".",$fileUrl); 22 file_put_contents(dirname(__file__)."/backup/$fileName",file_get_contents($_POST['restorefromfileURL'])); 23 file_put_contents(dirname(__file__)."/content.log","working"); ``` An attacker can assign the destination file name to the $_POST['restorefromfileNAME'] variable and the remote file to download to the $_POST['restorefromfileURL'] variable. The remote script will be uploaded into the /backup/ sub-folder.
