wp-plugin-uploader and wp-upload-n-view allow arbitrary uploading
A FYI for anyone out there who might be using the wp-plugin-uploader and wp-upload-n-view ( http://wp-plugins.net/author/ahlul_b4n9_s/ ), the way this plugin uploads files is accessible to anybody, allowing anyone to arbitrarily upload any zip file to your plugins or themes directory. You do NOT have to have an account on the blog to be able to access this file.
If you have these plugins installed, *it is not enough to disable them.* Going to the url http://<mysite.com>/wp-content/plugins/wp-upload-n-view/unzip.php , even with the plugin DISABLED, will give ANYONE access to upload and unzip files to your themes directory. Same thing with the plugin uploader.
I haven’t been able to get the author’s site to load for a few days now, and despite the fact that it is an extremely handy plugin, it’s absolutely too much of a risk and I thought everyone should know about it.
- The topic ‘wp-plugin-uploader and wp-upload-n-view allow arbitrary uploading’ is closed to new replies.