WordPress.org

Ready to get started?Download WordPress

Forums

wp-plugin-uploader and wp-upload-n-view allow arbitrary uploading (1 post)

  1. twiggle
    Member
    Posted 6 years ago #

    A FYI for anyone out there who might be using the wp-plugin-uploader and wp-upload-n-view ( http://wp-plugins.net/author/ahlul_b4n9_s/ ), the way this plugin uploads files is accessible to anybody, allowing anyone to arbitrarily upload any zip file to your plugins or themes directory. You do NOT have to have an account on the blog to be able to access this file.

    If you have these plugins installed, *it is not enough to disable them.* Going to the url http://<mysite.com>/wp-content/plugins/wp-upload-n-view/unzip.php , even with the plugin DISABLED, will give ANYONE access to upload and unzip files to your themes directory. Same thing with the plugin uploader.

    I haven't been able to get the author's site to load for a few days now, and despite the fact that it is an extremely handy plugin, it's absolutely too much of a risk and I thought everyone should know about it.

Topic Closed

This topic has been closed to new replies.

About this Topic

  • RSS feed for this topic
  • Started 6 years ago by twiggle
  • This topic is not a support question
  • WordPress version: 2.2.3