WordPress Academy LMS Pro plugin < 3.5.2 - Arbitrary File Upload vulnerability

Vulnerability

The Academy LMS Pro plugin for WordPress, versions before 3.5.2, contains an unrestricted file upload vulnerability. This allows users with file upload capabilities to upload any type of file, including PHP scripts, without proper validation. The vulnerability is present in the file upload functionality of the plugin [1].

Exploitation

An attacker can exploit this vulnerability by uploading a malicious file, such as a PHP web shell, through the plugin's file upload mechanism. No authentication is required if the upload endpoint is exposed to unauthenticated users. The attacker simply needs to send a crafted HTTP request with the malicious file to the vulnerable upload handler [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code on the web server by accessing the uploaded web shell. This can lead to complete compromise of the WordPress site, including data theft, privilege escalation, and further attacks on the server [1].

Mitigation

To mitigate this vulnerability, update the Academy LMS Pro plugin to version 3.5.2 or later, which includes a fix. If immediate update is not possible, implement a web application firewall rule to block file uploads with dangerous extensions or use Patchstack's mitigation rule [1].