Updated: December 8, 2020
The WordPress plugin “Theme Editor” is a plugin that allows you to edit theme files, create folders, upload files and remove files in themes and plugins.
Theme editor versions 2.1 and lower are affected by multiple vulnerabilities such as CSRF, insufficient permission checking, arbitrary file upload and the ability to interact with folders/files on the server in most ways you can imagine.
The plugin has over 30,000 active installations as of September 16th, 2019. These vulnerabilities (aside from CSRF) require access to any account, regardless of its role.
We will not be covering all issues in the plugin in this post such as CSRF but the vulnerabilities described above exist because the WordPress nonce check is not implemented in many methods. Additionally, a lot of methods do not check if the current user has the proper permissions set to execute said action.
The most dangerous vulnerability is the arbitrary file upload vulnerability which exists in the ms_child_theme_editor.php file in the function webphoto_upload which is registered as wp_ajax_webphoto_upload.
A snippet of the code can be found in the image below. Here we can see that in order to exploit this, all we have to do is upload a file against the “webphoto_upload” AJAX action and it will then upload it to the server under /wp-content/themes/images/.
Always keep your plugins updated. If possible, enable automatic updates. If you are using the Theme Editor plugin, you need to update it with the latest version as soon as possible.
Protect your websites from malicious traffic - set-up in under 3 minutes.
WebARX is compatible with the following platforms: