The “User Submitted Posts” plugin, a popular tool for user-generated content in WordPress, had a vulnerability that allowed unauthenticated users to upload arbitrary files. The potential risk was remote code execution. The issue was resolved in the plugin version 20230914. To prevent this from occurring, users should update to at least this version. Plugin developers can make use of Patchstack’s security audit services and Threat Intelligence Feed API. Best practice to avoid similar vulnerabilities includes implementing a check on filename and extension before uploading, as well as applying a whitelist of allowed file extensions. Users of Patchstack Developer and Business are already protected from this vulnerability and can sign up for the Patchstack Community plan for notifications about vulnerabilities.
Read the original article.