The National Vulnerability Database has published a vulnerability advisory for the ShortPixel Enable Media Replace WordPress plugin, which is used by over 600,000 websites. A high-severity vulnerability has been discovered that could allow an attacker to upload arbitrary files.
The United States Vulnerability Database (NVD) has assigned this vulnerability a score of 8.8 out of 10, with 10 being the highest severity.
Enable Media Replace Plugin Vulnerability
Ordinarily, one cannot upload an image with the same file name to update an existing image. The Enable Media Replace Plugin by ShortPixel allows users to easily update images without having to delete the old image and then upload the updated version with the same file name.
Security researchers discovered that users with publishing privileges could upload arbitrary files, including PHP shells, also known as backdoors.
A plugin that allows uploads (form submissions) ideally checks that the file conforms to what is supposed to be uploaded. However, according to the security warning at NVD, this is not happening when users upload image files.
The National Vulnerability Database published this description:
“The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.”
This type of vulnerability is classified as: Unrestricted Upload of File with Dangerous Type. This means that anyone with author privileges can upload a PHP script that can then be executed remotely by an attacker, as there are no restrictions on what can be uploaded.
PHP Shell
A PHP Shell is a tool that allows a website administrator to connect with the server remotely to perform maintenance, upgrades, manipulate files, and use command line programs. This level of access is significant for hackers, explaining why this vulnerability is rated High, with a score of 8.8.
This kind of access is also referred to as a backdoor. A GitHub backdoor list describes this kind of exploit:
“Hackers usually take advantage of an upload panel designed for uploading images onto sites. This is usually found once the hacker has logged in as the admin of the site. Shells can also be uploaded via exploits or remote file inclusion, or a virus on the computer.”
Recommended Action
ShortPixel has issued a patch for the vulnerability. The fix is documented in the official changelog. Enable Media Replace plugin versions lower than 4.0.2 are vulnerable. Plugin users may want to consider updating to at least version 4.0.2.
Read the official NVD advisory for the vulnerability:
CVE-2023-0255 Detail
Featured image by Shutterstock/Asier Romero
