WordPress Security Plugins Failed to Protect Against Arbitrary File Upload Vulnerability Using Raw POST Data
On September 23, exploit code for an arbitrary file upload vulnerability in the WordPress plugin 3DPrint Lite was disclosed. With that type of vulnerability, the question isn’t whether it will be exploited, but how long until it happens. By the next day, we were already seeing what looked to be hackers probing for usage of the plugin.
In looking over the vulnerable code, we noticed that there were two ways the data for the file being uploaded to be sent with exploit attempt. One of those ways was with a file sent with exploit attempt and the other by sending raw POST data that can be read in PHP from php://input:
1147 1148 1149 1150 1151 1152 1153 1154 | // Read binary input stream and append it to temp file if ( !$in = @fopen( $_FILES["file"]["tmp_name"], "rb" ) ) { die( '{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "'.__( 'Failed to open input stream.', '3dprint-lite' ).'"}, "id" : "id"}' ); } } else { if ( !$in = @fopen( "php://input", "rb" ) ) { die( '{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "'.__( 'Failed to open input stream.', '3dprint-lite' ).'"}, "id" : "id"}' ); } |
With the former, our firewall plugin for WordPress and some other WordPress security plugins provide varying degrees of protections against exploitation. But with the latter, our plugin didn’t at the time provide any protection. To better understand what protection could be provided, we tested other WordPress security plugins to see if they already provided protection in that situation and then see how that worked.
Unfortunately, as detailed below, none of the other plugins provided protection against this type of exploitation as of yesterday, so there was nothing we could use from them to help us better protect against.
We have now added protection to our plugin that will block requests with raw POST data that includes starting tags for PHP code, which should restrict hackers from their usual use of this type of vulnerability.
Testing Procedure
For each of the tested plugin, we set up an install of WordPress 5.8.1, installed version 1.9.1.4 of 3DPrint Lite and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping exploitation of the vulnerability. We didn’t set up any additional service connected with the plugins.
We performed the exploit attempts with the name specified for the new file as test.php and with the following as the raw POST data sent with the request:
<?php echo 'test';
The 25 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.
Results
None of the plugins provided protection.
The full results are below:
All In One WP Security & Firewall
- WordPress.org Plugin Directory page
- Active Installs: 900,000+
- Version Tested: 4.4.9
Result: Failed to prevent exploitation.
Anti-Malware Security and Brute-Force Firewall
- WordPress.org Plugin Directory page
- Active Installs: 200,000+
- Version Tested: 4.20.72
Result: Failed to prevent exploitation.
AntiHacker
- WordPress.org Plugin Directory page
- Active Installs: 1,000+
- Version Tested: 3.26
Result: Failed to prevent exploitation.
BBQ Firewall
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 20210719
Result: Failed to prevent exploitation.
BulletProof Security
- WordPress.org Plugin Directory page
- Active Installs: 50,000+
- Version Tested: 5.2
Result: Failed to prevent exploitation.
Clearfy
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 1.9.6
Result: Failed to prevent exploitation.
Defender
- WordPress.org Plugin Directory page
- Active Installs: 60,000+
- Version Tested: 2.6.0
Result: Failed to prevent exploitation.
Hide My WP Ghost Lite
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 4.1.09
Result: Failed to prevent exploitation.
iThemes Security
- WordPress.org Plugin Directory page
- Active Installs: 1+ Million
- Version Tested: 8.0.2
Result: Failed to prevent exploitation.
Jetpack
- WordPress.org Plugin Directory page
- Active Installs: 5+ Million
- Version Tested: 10.1
Result: Failed to prevent exploitation.
MalCare Security
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 4.63
Result: Failed to prevent exploitation.
NinjaFirewall
- WordPress.org Plugin Directory page
- Active Installs: 70,000+
- Version Tested: 4.4.2
Result: Failed to prevent exploitation.
Plugin Vulnerabilities Firewall
- Page on our website
- Active Installs: N/A
- Version Tested: Beta
Result: Failed to prevent exploitation.
SecuPress Free
- WordPress.org Pluhttp://localhost/security-plugin-testing/secupress/gin Directory page
- Active Installs: 30,000+
- Version Tested: 2.1
Result: Failed to prevent exploitation.
Security by CleanTalk
- WordPress.org Plugin Directory page
- Active Installs: 10,000+
- Version Tested: 2.72.2
Result: Failed to prevent exploitation.
Security Ninja
- WordPress.org Plugin Directory page
- Active Installs: 10,000+
- Version Tested: 5.124
Result: Failed to prevent exploitation.
Shield Security
- WordPress.org Plugin Directory page
- Active Installs: 60,000+
- Version Tested: 12.0.9
Result: Failed to prevent exploitation.
SiteGround Security
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 1.1.3
Result: Failed to prevent exploitation.
SiteGuard WP Plugin
- WordPress.org Plugin Directory page
- Active Installs: 400,000+
- Version Tested: 1.6.0
Result: Failed to prevent exploitation.
Sucuri Security
- WordPress.org Plugin Directory page
- Active Installs: 800,000+
- Version Tested: 1.8.30
Result: Failed to prevent exploitation.
Titan Anti-spam & Security
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 7.2.8
Result: Failed to prevent exploitation.
Wordfence Security
- WordPress.org Plugin Directory page
- Active Installs: 4+ Million
- Version Tested: 7.5.5
Result: Failed to prevent exploitation.
WP Cerber Security, Anti-spam & Malware Scan
- WordPress.org Plugin Directory page
- Active Installs: 200,000+
- Version Tested: 8.9.3
Result: Failed to prevent exploitation.
WP Hardening
- WordPress.org Plugin Directory page
- Active Installs: 6,000+
- Version Tested: 1.2.2
Result: Failed to prevent exploitation.
WP Hide & Security Enhancer
- WordPress.org Plugin Directory page
- Active Installs: 80,000+
- Version Tested: 1.6.3.9
Result: Failed to prevent exploitation.
Plugin Security Scorecard Grade for BBQ Firewall
Checked on March 20, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for BulletProof Security
Checked on November 19, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Clearfy
Checked on August 20, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Defender
Checked on November 20, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Jetpack
Checked on November 24, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for MalCare Security
Checked on November 7, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for NinjaFirewall
Checked on April 1, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Security Ninja
Checked on April 1, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Shield Security
Checked on January 19, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Sucuri Security
Checked on November 12, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Titan Anti-spam & Security
Checked on August 1, 2024See issues causing the plugin to get less than A+ grade