Zyrex Popup <= 1.0 - Admin+ Arbitrary File Upload

Vulnerability

The ZYREX POPUP WordPress plugin versions up to and including 1.0 fails to validate the type of files uploaded when creating a popup. This allows a high-privileged user (Administrator) to upload arbitrary files, including executable scripts, even when the file system modification is disallowed, such as in a multisite installation. [1]

Exploitation

An attacker with Administrator-level access to the WordPress admin panel can create or edit a popup and upload a malicious file (e.g., a PHP web shell) through the file upload functionality. The plugin does not check the file extension or MIME type, so the uploaded file is stored on the server. No additional authentication or user interaction is required beyond the admin privileges. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary code on the server by accessing the uploaded file. This can lead to full site compromise, data theft, privilege escalation, and further attacks on the underlying server. The vulnerability is particularly critical in multisite environments where administrators are not supposed to modify files. [1]

Mitigation

The vulnerability is fixed in version 1.1 of the plugin. Users should update to 1.1 or later immediately. If updating is not possible, consider restricting administrator access to trusted users only, as the vulnerability requires high privileges. No other workarounds are documented. [1]