CVE-2020-37227

Vulnerability

Details

CVE-2020-37227 describes an unrestricted file upload vulnerability in the WordPress plugin HS Brand Logo Slider version 2.1. The plugin only performs client-side file extension validation, which can be trivially bypassed. An authenticated attacker can intercept the upload request to the logoupload parameter and rename the file to a .php extension, allowing arbitrary PHP code to be uploaded to the server [2][3].

Exploitation

Exploitation requires an authenticated WordPress user with access to the plugin's admin page (/wp-admin/admin.php?page=hs-brand-logo-slider.php). Using a proxy like Burp Suite, the attacker intercepts the file upload request, changes the filename from e.g., a.jpg to a.php, and forwards the request. The plugin accepts the file without server-side validation, storing it on the server [2].

Impact

Successful exploitation grants the attacker remote code execution on the underlying web server. The CVSS v3 score of 8.8 (High) reflects the high confidentiality, integrity, and availability impact [3]. An attacker can execute arbitrary commands, install backdoors, or compromise the entire WordPress installation.

Mitigation

The plugin was closed on October 21, 2020, and is no longer available for download [4]. No patched version exists. Users are strongly advised to remove the plugin from any active WordPress site and ensure no residual files remain.