Someone reported to us that our Plugin Vulnerabilities Firewall had blocked an attempt to exploit what turned out to be an arbitrary file upload vulnerability in the plugin Advert Manager. The blocked request was sent to the plugin’s file /upload-file.php. The relevant code that allows arbitrary file uploads in the file is this:

2
3
4

$uploaddir = 'uploads/';
$file = $uploaddir . basename($_FILES['uploadfile']['name']); 
if (move_uploaded_file($_FILES['uploadfile']['tmp_name'], $file)) {

That takes a file sent with a request with the FILE name set to “uploadfile” and uploads it to the directory /wp-content/plugins/advert-manager-plugin/uploads/.