CVE-2018-17573

An attacker can navigate directly to the exposed FCKeditor file manager pages, such as `uploadtest.html`, which are bundled with the wp-insert plugin and accessible without authentication [ref_id=1]. Because FCKeditor's file upload connectors do not restrict file types, the attacker can upload a PHP web shell or other executable code to the server [ref_id=1]. Once uploaded, the attacker accesses the uploaded file directly via its URL, causing the PHP code to execute on the server [ref_id=1].

The vulnerable code resides in the bundled FCKeditor files under the wp-insert plugin directory: `fckeditor/editor/filemanager/browser/default/browser.html`, `fckeditor/editor/filemanager/connectors/test.html`, and `fckeditor/editor/filemanager/connectors/uploadtest.html` [ref_id=1]. These FCKeditor components are exposed and configured in a way that allows arbitrary file upload without authentication or file-type restrictions [ref_id=1].

The advisory states that version 2.4.2 and earlier are affected and that the plugin remains "unpatched" [ref_id=1]. No patch is provided in the bundle. The recommended remediation is to remove or disable the bundled FCKeditor components entirely, or to replace them with a secure file upload mechanism that validates file types and requires authentication [ref_id=1].

1. Navigate to `http://