[wp-trac] [WordPress Trac] #28994: Install plugin by upload file not check file type
WordPress Trac
noreply at wordpress.org
Wed Jul 23 05:08:47 UTC 2014
#28994: Install plugin by upload file not check file type
----------------------------+-----------------------------
Reporter: mix5003 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Plugins | Version: 3.9.1
Severity: normal | Keywords:
Focuses: administration |
----------------------------+-----------------------------
Upload installs of plugins not check file type. If hacker bruteforce or
get admin level access, they can run php script on my site.
To reproduce:
1. Upload a php file via Plugins->Add New->Upload after upload it ask ftp
login detail. please leave it and do 2.
2. Use browser goto http://mysite/wp-content/uploads/[CURRENT
YEAR]/[CURRENT MONTH]/filename.php
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28994>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list