Beware of File Upload Vulnerability in Pixelemu TerraClassifieds Plugin

CVECVE-2023-51473
CVSScvssV3_1: 10
SourceCVE-2023-51473

The Pixelemu TerraClassifieds plugin, which is a simple classifieds listing plugin for WordPress sites, contains a vulnerability that allows attackers to upload malicious files.

The vulnerability tracked as CVE-2023-51473 has a CVSS score of 10, meaning it is relatively easy to exploit and can allow an attacker to execute code remotely.

This file upload vulnerability occurs because the plugin fails to validate the file type being uploaded. By uploading a file with a deceptive file extension, an attacker could upload a file like malicious.php.png which is actually a PHP file instead of an image.

Once uploaded, the attacker could then access this file on the server and execute malicious code remotely. This could allow them to compromise the whole WordPress site and do things like steal admin credentials, install malware, or scrape sensitive user data.

If you use the TerraClassifieds plugin, you should update to the latest version immediately to patch this vulnerability. You should also carefully review and remove any files uploaded through the plugin previously in case any malicious files were able to be uploaded before the patch.

Proper file type validation and sanitization of uploaded files is important for any application that allows users to upload content. Plugin developers should thoroughly test for issues like this to prevent security risks for their users.

References