Vulnerability Patched in WordPress Theme That Allows Unrestricted Uploads

A vulnerability has been patched in a popular WordPress theme called Neosense that allows an attacker to upload code without authentication.

WordPress theme publisher DynamicPress fixed a flaw Monday that let anyone upload malicious files to sites running its business-themed Neosense WordPress templates, compromise the site and possibly the server hosting it.

Walter Hop, security researcher with Netherlands-based company, Slik, made the discovery last week. The flaw impacts version 1.7 of the Neosense theme. On Monday, DynamicPress released a 1.8 version update that patches the vulnerability. Hop publicly disclosed the vulnerability Monday.

“It’s going to take time for customers to update their sites, but it’s important they do as soon as possible. Without the most recent update for Neosense, customers are leaving themselves wide open to attack,” Hop said.

Hop said the vulnerability is known by hackers who are actively trying to exploit it. He noted that DynamicPress updated nearly all of its themes the same day it updated the Neosense theme.

DynamicPress today confirmed the flaw in Neosense. The WordPress template maker sells approximately 14 different themes via third-party sites such as Envato Market. A DynamicPress company representative told Threatpost that the bug was limited to only the Neosense theme and none of its other themes were impacted.

The vulnerability is tied to DynamicPress’ use of the open source code “qquploader,” an Ajax-based file uploader that had been implemented with no security. An attackers can target version 1.7 Neosense theme users by uploading malicious a PHP script with extension .php or .phtml to the site’s download directory. The Neosense theme does not require any user name or password to access the upload directory.

“An attacker can simply upload a file and execute it to gain control of the WordPress site,” Hop said. If the Neosense site is not sandboxed or in a container, then the attacker can gain access to the hosting server.

“Without user authorization, anyone visiting the site can upload anything. They can upload a backdoor file using Curl and then immediately run it just by clicking on that URL,” Hop said.

Suggested articles