Social News Hubb
Advertisement Banner
  • Home
  • Updates
  • Upgrades
  • Contact
No Result
View All Result
  • Home
  • Updates
  • Upgrades
  • Contact
No Result
View All Result
Wellnessnewshubb
No Result
View All Result
Home Updates

ShortPixel Enable Media Replace Plugin

admin by admin
February 18, 2023
in Updates


National Vulnerability Database published a vulnerability advisory about the ShortPixel Enable Media Replace WordPress plugin used by over 600,000 websites. A high severity vulnerability was discovered that could allow an attacker to upload arbitrary files.

The United States Vulnerability Database (NVD) assigned the vulnerability a score of 8.8 out of 10, with 10 being the highest severity.

Enable Media Replace Plugin Vulnerability

Ordinarily one cannot upload an image with the same file name to update an existing image.

The Enable Media Replace Plugin by ShortPixel enables users to easily update images without having to delete the old image and then upload the updated version with the same file name.

Security researchers discovered that users with publishing privileges can upload arbitrary files, including PHP Shells, also known as backdoors.

A plugin that allows uploads (form submissions) ideally checks that the file conforms to what is supposed to be uploaded.

But according to the security warning at NVD, apparently that’s not happening when users upload image files.

The National Vulnerability Database published this description:

“The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.”

This type of vulnerability is classified as: Unrestricted Upload of File with Dangerous Type.

What that means is that anyone with author privileges can upload a PHP script that can then be executed remotely by an attacker, since there are no restrictions on what can be uploaded.

PHP Shell

A PHP Shell is a tool that allows a website administrator to connect with the server remotely and do things like perform maintenance, upgrades, manipulate files and use command line programs.

That’s a scary amount of access for a hacker to gain, which may explain why this vulnerability is rated High, with a score of 8.8.

This kind of access is also referred to as a backdoor.

A GitHub backdoor list describes this kind of exploit:

“Hackers usually take advantage of an upload panel designed for uploading images onto sites.

This is usually found once the hacker has logged in as the admin of the site.

Shells can also be uploaded via exploits or remote file inclusion, or a virus on the computer.”

Recommended Action

ShortPixel has issued a patch for the vulnerability. The fix is documented in the official changelog located in the WordPress repository for the plugin.

Enable Media Replace plugin by ShortPixel that are less than version 4.0.2 are vulnerable.

Plugin users may want to consider updating to at least version 4.0.2.

Read the official NVD advisory for the vulnerability:

CVE-2023-0255 Detail

Featured image by Shutterstock/Asier Romero





Source link

Previous Post

Co-branding: What It Is and Why your Brand Should Use It

Next Post

8-Step Guide to Using Instagram Ads [2023 Edition]

Next Post
8-Step Guide to Using Instagram Ads [2023 Edition]

8-Step Guide to Using Instagram Ads [2023 Edition]

Recommended

How to Run an Instagram Giveaway Successfully

2 months ago

Meta Could be Exploring Paid Blue Checkmarks on Facebook and Instagram

2 months ago

© 2022 Social News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • Updates
  • Upgrades
  • Contact

Newsletter Sign Up.

No Result
View All Result
  • Home
  • Updates
  • Upgrades
  • Contact

© 2022 Social News Hubb All rights reserved.