One of the ways we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated arbitrary file upload vulnerability being introduced in to the plugin uListing, which can also be exploited through cross-site request forgery (CSRF). The vulnerability occurs in code handled through WordPress’ REST API, which is increasingly a vector through which vulnerabilities in WordPress plugins are accessible. (We have included checking over functionality running through the REST API in our security reviews of WordPress plugins since earlier this year due the prevalence of issues.)

The plugin registers the function upload_file() to be accessible through WordPress REST API as part of new import/export functionality: [Read more]