Recently, our firewall plugin blocked an attempt on one of our websites that appeared to be trying to exploit a vulnerability that would allow an attacker to upload a .php file to a website. We were able to trace that back to a vulnerability in the plugin Startklar Elementor Addons.

The logging for the block attempt showed that the attempt was trying to access an AJAX accessible function in a WordPress plugin that would be accessed with the action set to startklar_drop_zone_upload_process. That plugin makes a function named process() accessible through that to those logged in to WordPress as well as those not logged in:

54
55

add_action('wp_ajax_startklar_drop_zone_upload_process', array("StartklarElmentorFormsExtWidgets\startklarDropZoneUploadProcess", 'process'));
add_action("wp_ajax_nopriv_startklar_drop_zone_upload_process", array("StartklarElmentorFormsExtWidgets\startklarDropZoneUploadProcess", 'process'));

The changelog for a recent version of the plugin suggested that what was being targeted was fixed in version 1.7.14, as the changelog for that version reads “Fixed the vulnerability related to arbitrary file uploads.” The change being made was to the process() function. Part of the change made was to use the WordPress function wp_check_filetype() to check if the file was one that is allowed by WordPress:

56
57
58
59

$validate = wp_check_filetype( $_FILES['file']['name'] );
 
if (!$validate['type']) {
	die(__("File type is not allowed.", "startklar-elmentor-forms-extwidgets"));

Prior to that, there was no restriction on what types of files could be uploaded.

Free Warning

As this vulnerability looks to be targeted by hackers, we are adding accurate data on it to the free data that comes with our Plugin Vulnerabilities plugin.