5 Oct 2021

WordPress Security Plugins Failed to Protect Against Arbitrary File Upload Vulnerability Using Raw POST Data

On September 23, exploit code for an arbitrary file upload vulnerability in the WordPress plugin 3DPrint Lite was disclosed. With that type of vulnerability, the question isn’t whether it will be exploited, but how long until it happens. By the next day, we were already seeing what looked to be hackers probing for usage of the plugin.

In looking over the vulnerable code, we noticed that there were two ways the data for the file being uploaded to be sent with exploit attempt. One of those ways was with a file sent with exploit attempt and the other by sending raw POST data that can be read in PHP from php://input:

1147
1148
1149
1150
1151
1152
1153
1154
// Read binary input stream and append it to temp file
if ( !$in = @fopen( $_FILES["file"]["tmp_name"], "rb" ) ) {
	die( '{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "'.__( 'Failed to open input stream.', '3dprint-lite' ).'"}, "id" : "id"}' );
}
} else {
if ( !$in = @fopen( "php://input", "rb" ) ) {
	die( '{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "'.__( 'Failed to open input stream.', '3dprint-lite' ).'"}, "id" : "id"}' );
}

With the former, our firewall plugin for WordPress and some other WordPress security plugins provide varying degrees of protections against exploitation. But with the latter, our plugin didn’t at the time provide any protection. To better understand what protection could be provided, we tested other WordPress security plugins to see if they already provided protection in that situation and then see how that worked.

Unfortunately, as detailed below, none of the other plugins provided protection against this type of exploitation as of yesterday, so there was nothing we could use from them to help us better protect against.

We have now added protection to our plugin that will block requests with raw POST data that includes starting tags for PHP code, which should restrict hackers from their usual use of this type of vulnerability.

Testing Procedure

For each of the tested plugin, we set up an install of WordPress 5.8.1, installed version 1.9.1.4 of 3DPrint Lite and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping exploitation of the vulnerability. We didn’t set up any additional service connected with the plugins.

We performed the exploit attempts with the name specified for the new file as test.php and with the following as the raw POST data sent with the request:

<?php echo 'test';

The 25 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.

Results

None of the plugins provided protection.

The full results are below:

All In One WP Security & Firewall

Result: Failed to prevent exploitation.

Anti-Malware Security and Brute-Force Firewall

Result: Failed to prevent exploitation.

AntiHacker

Result: Failed to prevent exploitation.

BBQ Firewall

Result: Failed to prevent exploitation.

BulletProof Security

Result: Failed to prevent exploitation.

Clearfy

Result: Failed to prevent exploitation.

Defender

Result: Failed to prevent exploitation.

Hide My WP Ghost Lite

Result: Failed to prevent exploitation.

iThemes Security

Result: Failed to prevent exploitation.

Jetpack

Result: Failed to prevent exploitation.

MalCare Security

Result: Failed to prevent exploitation.

NinjaFirewall

Result: Failed to prevent exploitation.

Plugin Vulnerabilities Firewall

Result: Failed to prevent exploitation.

SecuPress Free

Result: Failed to prevent exploitation.

Security by CleanTalk

Result: Failed to prevent exploitation.

Security Ninja

Result: Failed to prevent exploitation.

Shield Security

Result: Failed to prevent exploitation.

SiteGround Security

Result: Failed to prevent exploitation.

SiteGuard WP Plugin

Result: Failed to prevent exploitation.

Sucuri Security

Result: Failed to prevent exploitation.

Titan Anti-spam & Security

Result: Failed to prevent exploitation.

Wordfence Security

Result: Failed to prevent exploitation.

WP Cerber Security, Anti-spam & Malware Scan

Result: Failed to prevent exploitation.

WP Hardening

Result: Failed to prevent exploitation.

WP Hide & Security Enhancer

Result: Failed to prevent exploitation.


Plugin Security Scorecard Grade for BBQ Firewall

Checked on March 20, 2025
D+

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for BulletProof Security

Checked on November 19, 2024
F

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for Clearfy

Checked on August 20, 2024
F

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for Defender

Checked on November 20, 2024
F

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for Jetpack

Checked on November 24, 2024
F

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for MalCare Security

Checked on November 7, 2024
F

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for NinjaFirewall

Checked on April 1, 2025
D

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for Security Ninja

Checked on April 1, 2025
F

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for Shield Security

Checked on January 19, 2025
F

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for Sucuri Security

Checked on November 12, 2024
C

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for Titan Anti-spam & Security

Checked on August 1, 2024
D+

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for Wordfence Security

Checked on March 19, 2025
F

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published. Required fields are marked *