A new authenticated arbitrary file vulnerability has been discovered in the popular WordPress plugin Keydatas, affecting over 5,000 active installations. This flaw enables threat actors to upload arbitrary files, such as executable PHP scripts, and achieve remote code execution, potentially leading to complete site takeovers.
Security researcher Foxyyy discovered this vulnerability, and cyber crooks tried at least 8,000 exploitation attempts.
The vulnerability was found in the keydatas_downloadImages function. This function, which is responsible for downloading and uploading images, lacked proper file type validation, allowing any file type, including executable PHP scripts, to be uploaded.
The problem was made worse by a significant flaw in the plugin’s password protection feature. The developers had set a default password of ‘keydatas.com,’ which many site owners may have neglected to change. This oversight created an easy entry point for malicious actors to exploit the plugin’s features.
“Unfortunately, it was found that the password has a default value of “keydatas.com”. If site owners do not set a different password, the threat actor can access all of the plugin’s functions, such as editing posts or uploading files, using the default password,” researchers explained.
This security breach enabled unauthorised users to upload harmful files directly into the WordPress uploads folder, which can be accessed by the public. Such an intrusion could result in attackers running malicious code remotely, potentially leading to a complete takeover of the affected website through various techniques, including the use of web shells.
“The function does not include any file type or extension checks in the vulnerable version. This means that not only image files can be uploaded, but it is also possible to upload files with an .php
extension,” researchers observed. “The file is uploaded to the WordPress uploads folder, which is publicly accessible. This makes it possible for unauthenticated attackers to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.”
Cybersecurity experts have listed the following indicators of compromise:
- Executable PHP files in the /wp-content/uploads directory
- File names such as /wp-apxupx.php, /x.php, /about.php, /dropdown.php, /JLA67p.php, and /RRJxmp.php
- Requests with the URL parameter ‘apx=upx’
Researchers have urged users to update to the latest version immediately to mitigate the risk of exploitation. Users are also told to perform regular vulnerability scans and implement robust firewall protection to safeguard against similar threats.
In the News: Mozilla to stop trusting Entrust’s TLS certificates