WPtouch < 4.3.45 - Admin+ Arbitrary File Upload

Vulnerability

The WPtouch WordPress plugin prior to version 4.3.45 fails to properly validate images during upload. This allows users with high privileges (such as Administrators) to upload arbitrary files (e.g., PHP scripts) to the server even when they should not be permitted to, for example in a WordPress multisite configuration where super admin restrictions apply [1].

Exploitation

An attacker must possess an admin-level account on the WordPress site. Using the standard media upload functionality, the attacker can craft a file that passes basic image checks but is ultimately saved with a non-image extension (e.g., .php). No additional network position or user interaction is required beyond the attacker's authenticated session [1].

Impact

Successful exploitation allows the attacker to upload arbitrary files, including executable PHP code. This can lead to remote code execution on the web server, full site compromise, data exfiltration, or further lateral movement. In a multisite environment, the vulnerability bypasses intended restrictions that limit individual site admins from uploading arbitrary files [1].

Mitigation

Update to WPtouch version 4.3.45, which was released on an undisclosed date and addresses the vulnerability [1]. There is no known workaround for sites that cannot immediately update. The plugin developers have not listed this CVE in the known exploited vulnerabilities (KEV) catalog as of the time of writing.