CVE-2016-10959

Vulnerability

The Estatik plugin for WordPress versions before 2.3.1 contains an authenticated arbitrary file upload vulnerability. The flaw exists in the wp-admin/admin-ajax.php endpoint where the es_media_images[] parameter is processed without proper file type validation. An attacker with a valid WordPress account (or able to trick an administrator via Cross-Site Request Forgery) can upload a malicious PHP file to the server.

Exploitation

An attacker must either have an authenticated session on the target WordPress site or craft a CSRF payload that forces an authenticated user (such as an administrator) to submit a request. The request targets wp-admin/admin-ajax.php with the action parameter set to the appropriate handler and es_media_images[] containing a file payload (e.g., a PHP web shell). No special privileges beyond being an authenticated user are required; the file upload is processed without checking file extension or content.

Impact

Successful exploitation allows the attacker to upload arbitrary files, including executable PHP scripts. This can lead to remote code execution on the underlying web server, full compromise of the WordPress installation, data theft, site defacement, or use of the server for further attacks.

Mitigation

The vulnerability was fixed in Estatik version 2.3.1 [1]. Users should update to the latest version (4.3.1 as of the reference date) to ensure the fix is applied. No workarounds are documented; updating the plugin is the recommended action.