User Submitted Posts: Vulnerability found in WordPress plugin

Home/BOTNET, Compromised, cyberattack, Evilproxy, Exploitation, Internet Security, malicious cyber actors, Mobile Security, Security Advisory, Security Update, Software Issues/User Submitted Posts: Vulnerability found in WordPress plugin

User Submitted Posts: Vulnerability found in WordPress plugin

His team at Patch Stack recently uncovered a fresh vulnerability in the WordPress plugin “User Submitted Posts,” affecting versions from 20230902 onwards.

With over 20,000 active installations, this popular plugin is utilized for content submissions created by users and is the brainchild of Plugin Planet.

All about the vulnerability :

The security researcher at Patchstack, Rafie Muhammad, brought attention to this vulnerability, and it has now been officially registered as CVE-2023-45603. According to the researcher, this vulnerability permits unauthorized file uploads.

The bug pertains to how the plugin manages uploaded files, specifically within the “usp_attach_images” function. Unauthenticated users could potentially exploit this vulnerability by uploading files containing embedded PHP code, which may subsequently execute on the server, potentially jeopardizing the security of the website.

The researcher elaborated that their team unearthed the vulnerability within the User Submitted Posts WordPress plugin in September 2023.

Plugin Planet promptly issued a patch just two days after its discovery. By October 10, 2023, the vulnerability had been officially documented in the Patchstack database.

Since the main problem is that arbitrary file name extensions are allowed to be uploaded, the vendor decided to add a whitelist check before uploading the file to the server“, refers.

The matter has been resolved in the most recent release of the WordPress plugin, denoted as version 20230914. Users are strongly advised to promptly upgrade to safeguard their websites.

The researcher also emphasized, “Always scrutinize each $_FILES parameter in the plugin or theme code. Be sure to validate the file name and extension before proceeding with file uploads.”

Website owners are also encouraged to review their code for potential vulnerabilities and implement a whitelist of approved file extensions as a preventive measure against unauthorized file uploads.

Basic Safety Measures 


Administrators of a WordPress website should consider several fundamental security measures:

  1. Employing robust and unique passwords for access.
  2. Consistently updating the software to the latest versions.
  3. Implementing a dedicated antivirus protection tool.
  4. Periodically reviewing and enhancing the website’s security protocols.

Ensuring WordPress site security is paramount in safeguarding your website against threats. By deploying suitable security measures and maintaining regular software updates, you can fortify your website’s security and uphold a steadfast and trustworthy online presence.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 366
By | 2023-10-30T07:50:26+05:30 October 16th, 2023|BOTNET, Compromised, cyberattack, Evilproxy, Exploitation, Internet Security, malicious cyber actors, Mobile Security, Security Advisory, Security Update, Software Issues|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!