CVE-2014-125110

The wp-file-upload plugin for WordPress versions up to 2.4.3 contains a reflected cross-site scripting (XSS) vulnerability in the wfu_ajax_action_callback function within lib/wfu_ajaxactions.php. The function used print_r() to output session, POST, user, and parameter data without sanitization, allowing an attacker to inject arbitrary HTML and JavaScript. The fix, introduced in version 2.4.4, adds a wfu_sanitize() function that applies htmlspecialchars() to all output, preventing script injection [1].

An attacker can exploit this vulnerability remotely by sending crafted requests that trigger the error-handling paths in the callback. The code checks for a valid session token and user login, but if these checks fail, the unsanitized data is printed directly. This means an unauthenticated attacker can cause the plugin to reflect malicious payloads in the response, leading to XSS [1].

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim's browser. This could be used to steal session cookies, perform actions on behalf of the victim, or deface the site. The CVSS v3 base score of 3.5 (Low) reflects the need for user interaction or specific conditions, but the attack vector is network-based and requires no privileges [2].

The vulnerability is addressed by upgrading to version 2.4.4 of the plugin. The patch commit (c846327df030a0a97da036a2f07c769ab9284ddb) is available in the plugin's repository, which has since been archived and is read-only [1][2]. Users are strongly recommended to upgrade to the patched version or replace the plugin with an alternative.