Found an exploit in a really old Wordpress plugin...

[trparky]

I was browsing through the Wordfence Web Application Firewall log of my Wordpress site, and I found something interesting. Thankfully it was blocked by Wordfence so that's good—it never did any damage to my site. I don't even have the plugin installed on my site so again, good.

However, I digress—I found an exploit in an old Wordpress plugin. So old that it doesn't seem that Wordpress even lists it as a plugin to be installed. Thankfully.

However, the plugin does exist. I found it on Github and after a little bit of investigation, one of the files in that plugin is indeed vulnerable to that very exploit. A path traversal exploit. There's no input validation or cleanup before passing it to a PHP read() function.

What do I do with this knowledge? Is there a possibility that sites out there have this plugin installed and are vulnerable to this exploit?

Obviously, I don't want to publish this exploit or the name of the plugin publicly since well... duh. But what do I do? I have no idea how to responsibly disclose this vulnerablity.

 

[Mindweaver]

Since it's on Github then I would report it to Github. Hopefully they will at least take it down which would be a big step in the right direction.

 

[Assimilator]

Is the plugin still maintained at all? If so create an issue in their GH that explains you've found a vuln and asks for a direct non-public contact to reach out to, in order to detail it so they can fix it.

If it's abandoned then not much you can do, and if it's old enough to be abandoned it's really on the people using that plugin to stop using abandonware.

 

[bug]

Maybe check the NIST database first, chances are it's reported already: https://nvd.nist.gov/vuln/search

Other than that, what @Assimilator said.

 

[trparky]

Someone suggested that I disclose it to PatchStack. I've done just that.

 

[trparky]

One day I was looking through my Wordfence access logs and came across a weird looking URL… https : // www . toms-world . org/blog/wp-content/plugins/apptha-slider-gallery/asgallDownload.php?imgname=../../wp-config.php

Thankfully, I don’t have that plugin installed into my WordPress installation. You’re going to find out why I said “thankfully” in a moment.

The reason I started looking into this was because the log just looked… funny, weird. Something just didn’t smell right. So, I began doing some looking around on Google and lo and behold, I found a plugin for WordPress named Apptha Slider Gallery on GitHub. I then looked into the exact file name that the… not so good smelling URL referenced. The code is as below…

<?php
/*
***********************************************************/
/**
* @name : Mac Doc Photogallery.
* @version : 2.5
* @package : apptha
* @subpackage : mac-doc-photogallery
* @author : Apptha – [URL]http://www.apptha.com[/URL]
* @copyright : Copyright (C) 2011 Powered by Apptha
* @license : GNU General Public License version 2 or later; see LICENSE.txt
* [USER=105671]@Abstract[/USER] : The core file of calling Mac Photo Gallery.
* [USER=173468]@Creation[/USER] Date : June 20 2011
* @Modified Date : September 30 2011
* */

/*
***********************************************************/

/*The Common load file for the plugin */

require_once( dirname(__FILE__) . ‘/asgallDirectory.php’);

$timg = $_REQUEST[‘imgname’];
$pluginname = ‘apptha-slider-gallery’;
$file = dirname(dirname(dirname(__FILE__))).”/uploads/”.$pluginname.”/”.$timg;
header(‘Content-Description: File Transfer’);
header(‘Content-Type: application/octet-stream’);
header(‘Content-Disposition: attachment; filename=’.basename($file));
header(‘Content-Transfer-Encoding: binary’);
header(‘Expires: 0’);
header(‘Cache-Control: must-revalidate, post-check=0, pre-check=0’);
header(‘Pragma: public’);
header(‘Content-Length: ‘ . filesize($file));
ob_clean();
flush();
readfile($file);

//}
?>

Immediately upon reading that code I had a major face-palm moment.

If you need a clue as to why I had a face-palm moment, take a look at the line that reads “readfile($file);”. The variable $file chiefly gets its value from $_REQUEST[‘imgname’] ( well, ok... $file = dirname(dirname(dirname(__FILE__)))."/uploads/".$pluginname."/".$timg ), however, as you can see, they just concatenate the value of $timg onto the $file variable and… there’s absolutely no user input validation!!! Not even a simple call to basename() to make sure that an attacker can’t do something stupid like “../../../wp-config.php”. A simple call of basename() could have put a stop to this major vulnerability.

They do perform a call to basename() when they declare the "Content-Disposition: attachment" HTTP Header so they knew that calling basename() was a good idea but why the hell didn't they make a call to it in the most important place ever!?!?

But I digress…

I looked about the Internet and began asking about how I can report a vulnerability since I’ve never done this before. Someone mentioned Patchstack so I opened a chat on their site and asked how I can get into contact with one of their security researchers. They gave me some contact information and submitted the details of what I found. Low and behold, I get an email sometime later stating that what I found was indeed a major security vulnerability in a WordPress plugin, a path traversal vulnerability. The bad thing is that this plugin is no longer supported by Apptha and God knows how many WordPress installations might have this extremely vulnerable plugin installed.

Fast forward to today and the vulnerability that I found was given a CVE ID of CVE-2025-31050 with a vulnerability rating of 7.5 on a scale of 1 to 10 giving it a severity of High. Not good, scary even.

Note to Moderators
I have done all the right things. I responsibly disclosed the vulnerability, and I held everything back until I knew a public CVE was published. Everything in this post is now public since the CVE is no longer private.

 

[silentbogo]

Seems like it's been on the radar for a couple of years with similar vulns. Likely a one-off project that became abandonware soon after(last update 6 years ago).
Their GIT is burried under 2 pages of vuln reports dating as far back as 6 years ago. Pretty sure no one in their right mind would consider installing it even if they came by it accidentally.

 

[trparky]

Their GIT is burried under 2 pages of vuln reports dating as far back as 6 years ago.

How do you know that? Can I see?

 

[ShiBDiB]

Is the plugin still maintained at all? If so create an issue in their GH that explains you've found a vuln and asks for a direct non-public contact to reach out to, in order to detail it so they can fix it.

If it's abandoned then not much you can do, and if it's old enough to be abandoned it's really on the people using that plugin to stop using abandonware.

The only answer.

It's abandonware, if users are still using years old code they assume the risk. It's a neat find but there's thousands of examples of it on github alone.

 

[silentbogo]

How do you know that? Can I see?

Just google the plugin name

 

[ty_ger]

Wordpress is constantly being exploited, or had exploits, or has patches meant to address exploits. If you buy web hosting, just for a simple static HTML site, you will see an endless stream of requests to non-existent wordpress files and folders looking to see if you have something exploitable. It's just 404 after 404.
Odds are, someone is aware and either fixed it or abandoned it.
I would never. I hate those CMS systems anyway. Hard to use, bloated, you have to trust someone you don't know, and you have to deal with compatibility issues and abandoned projects.
There's so much convoluted code and addons and just crap on top of crap. I don't trust it.

edit:
lol...terrible
For a small static HTML site with little traffic, it's absurd how many attack vectors are constantly attempted. Is it a coincidence that it is mostly word press files they are trying to get a feel for?

 

[trparky]

But then I'd have to build my own CMS and that's a pain in the ass. I mean, I could do it—I have the expertise. I know how to write PHP code, some MySQL code, but still... better to just use WordPress with Cloudflare in front of it to stop a vast majority of the malicious stuff before it even hits the origin server.

 

[ty_ger]

You don't need a CMS to publish content. You don't need a database to store data. Files and file systems have existed for much longer. For simply publishing content, a much more secure method is simple old-fashion typing and uploading.

I made my own CMS once for the fun/challenge of it. It was crap, but it worked. It probably wasn't secure either. I tried, and it used Bcrypt, but I'm sure I messed up all over the place.

I prefer just using FTP to publish new documents. It's so much less painful overall, in my opinion. No learning a CMS. No finding the plugins to do what you want to do. And no constant breaking as one thing is patched and another thing is out of date or abandoned.

Using a templating system, a person doesn't even need to know HTML or CSS, after you create that templating system.

From my experience, CMSes (plural?) encourage you to be lacks on security, because they encourage you to just use what you invested your time into and know works, rather than do the painful process of updating, patching, and finding replacements for what stopped working. They encourage you to ignore critical base-layer security updates which would break higher-level plugins. And I think that is one reason that wordpress is exploited so much.

See FTP there at the bottom?

 

[ShiBDiB]

But then I'd have to build my own CMS and that's a pain in the ass. I mean, I could do it—I have the expertise. I know how to write PHP code, some MySQL code, but still... better to just use WordPress with Cloudflare in front of it to stop a vast majority of the malicious stuff before it even hits the origin server.

I... don't think you understand what cloudflare actually is with that statement.

But you're also not wrong, using wordpress/joomla/drupal/whatever is completely fine and is how most websites operate. Just don't use outdated unmaintained plugins. Like my last reply said, there's thousands of examples on github of abandoned projects that now have vulnerabilities. The "right" thing to do is for these devs to archive these no longer maintained projects, but it's also on the webadmin to be smart about what they use.

 

[remixedcat]

Do you have cpanel??

 

[trparky]

I... don't think you understand what cloudflare actually is with that statement.

Cloudflare does offer a WAF, a Web Application Firewall that consists of a number of rules that are applied to incoming traffic and if the traffic matches, it blocks the traffics before it even gets to the origin server.

Do you have cpanel??

Yes.

 

[phanbuey]

WAF can get super aggressive and breaks active plugins/elements - I would try it out in dev first, I've had instances where it breaks exiting site functionality.

 

[TheLostSwede]

I... don't think you understand what cloudflare actually is with that statement.

But you're also not wrong, using wordpress/joomla/drupal/whatever is completely fine and is how most websites operate. Just don't use outdated unmaintained plugins. Like my last reply said, there's thousands of examples on github of abandoned projects that now have vulnerabilities. The "right" thing to do is for these devs to archive these no longer maintained projects, but it's also on the webadmin to be smart about what they use.

I do some freelance work for a company and they just had some eastern European outfit make a new site for them, because it was cheap...
So, so, so many plugins and I don't even know what half of them are supposed to do.
You can't even add content without going through a plugin that they used to build the site with...
But apparently they're going ahead with and will use the site as is...
No-one at the company seems to know anything about anything tech related, which is quite scary.
I guess it's the same for a lot of small businesses around the world though.

 

[trparky]

WAF can get super aggressive and breaks active plugins/elements - I would try it out in dev first, I've had instances where it breaks exiting site functionality.

I've never had an issue with my small site.

 

[phanbuey]

I've never had an issue with my small site.

If you have alot of inputs on your website or you're using somthing like redash, retool, etc. that run webapps WAF will false positive actual requests and block them, im sure you can tune the rules to get it to work but after fiddling with it for 2 hours I kind of just gave up -- this is AWS WAF, specifically with exploit protection configuration turned on -- maybe cloudflare/akamai/fastly are better.

 

[ShiBDiB]

I do some freelance work for a company and they just had some eastern European outfit make a new site for them, because it was cheap...
So, so, so many plugins and I don't even know what half of them are supposed to do.
You can't even add content without going through a plugin that they used to build the site with...
But apparently they're going ahead with and will use the site as is...
No-one at the company seems to know anything about anything tech related, which is quite scary.
I guess it's the same for a lot of small businesses around the world though.

Ya it's like that with a lot of small businesses. I've been half tempted numerous times to spin up a webhosting/design service and offer it to local businesses as a side hustle. Just haven't had the motivation to actually sit down and plan it all out

 

[TheLostSwede]

Ya it's like that with a lot of small businesses. I've been half tempted numerous times to spin up a webhosting/design service and offer it to local businesses as a side hustle. Just haven't had the motivation to actually sit down and plan it all out

I know enough for my own needs, but not enough to do anything serious with my knowledge.
I help them with non-technical stuff, but ended up being part of this, as it really went sideways.

 

[remixedcat]

Cloudflare does offer a WAF, a Web Application Firewall that consists of a number of rules that are applied to incoming traffic and if the traffic matches, it blocks the traffics before it even gets to the origin server.

Yes.

cpanel/softaculous has a wordpress security suite built in if your host installed it it will harden the install by several means. the biggest thing is to never have your admin account be named as such and also have as many dirs read only as you can. there's other means but I don't want to discuss here.