With our service we don’t throw new reported vulnerabilities in to our data, we actually test out each vulnerability. That means we can tell you which versions are vulnerable, we can exclude false reports of vulnerabilities, and probably most importantly determine if the vulnerability has actually been fixed. The last one is big distinction between us and other similar services. It also help to improve the security of the WordPress ecosystem, because if we don’t do it, it doesn’t look in many cases that anyone else will, as an unfixed vulnerability from 2012 we recently ran across shows.

Recently our monitoring of attempts to exploit WordPress plugins on a live website showed some requests for the file /wp-content/plugins/resume-submissions-job-postings/installer.php. The attempts appeared as part of series of requests for files from various WordPress plugins and it looked like the files being requested might be an attempt to determine if the plugins were installed to then exploit. Looking around we couldn’t find any references to a vulnerability that exploited that file in the Resume Submissions & Job Postings plugin, but we did find a report of an arbitrary file upload vulnerability in the plugin from July of 2012. That is one of the more series vulnerabilities out there, since unlike many others, this type of vulnerability is frequently exploited. In the report the vulnerability was listed as having existed in version 2.5.1. On the plugins changelog entry for version 2.5.2, the first item seems to indicate that the vulnerability had been fixed as it was “Fixed: Attachment security vulnerability“.

After confirming that the vulnerability existed in version 2.5.1 we went to test version 2.5.2 to see if the vulnerability had been fixed in that version.

To begin the testing we did the following:

1. Added and activated the plugin.
2. Added the shortcode [resumeForm] to a new post.
3. Logged out of WordPress.
4. Went to the new post.
5. Entered values for the required fields in the resume form on the page.

From there we tried select a file with a .php extension to upload in the Attachment section to try to exploit the vulnerability, but we now got this alert:

The source of that was the lines 222 and 223 of the plugin’s file /resume-submissions-job-postings/includes/jQuery/jquery.multi-file.js:

if(MultiFile.accept && v && !v.match(MultiFile.rxAccept))//{
 ERROR = MultiFile.STRING.denied.replace('$ext', String(v.match(/\.\w{1,4}$/gi)));

Since that code is running on the client side, it can be disabled. For testing purpose we just commented out those lines and reloaded the file in the web browser. We were then able to choose a .php file to upload. After it hitting the SUBMIT RESUME button we were taken back to the resume form, so it looked as though something was stopping us from uploading a .php file. But in the plugin’s upload directory the file had in fact been uploaded.

After reviewing the changes made in version 2.5.2 we found out what was going on. On line 201-207 of the file /resume-submissions-job-postings/includes/functions.php code had been added to restrict what file extensions could be uploaded:

// Double check the allowed file types
$attachSet = get_option( 'resume_attachments' );
$allowed = strpos( $attachSet['allowed'], $ext );
if ( $allowed === false ){
 $dbInsert = 'Error';
 return $dbInsert;
}

Unfortunately that code was added directly after the line that saves the uploaded file to the filesystem:

$moveFile = move_uploaded_file( $tmpName, $uploadDir . $name );

If someone had bothered to test this out at the time it could have been easily fixed, by just moving line that saves the uploaded file after the code that checks the extension. Instead the plugin has remained vulnerable for nearly four years. At this point it seems the plugin’s developer has abandoned the plugin, so once we notify the people running WordPress’s Plugin Directory it will likely be removed (we notified the plugin’s developer last Monday, but have received no response so far).