Zero Day Vulnerability in WP CopySafe Web and WP CopySafe PDF WordPress Plugins

Update: The issue has been confirmed, the plugins have been temporarily removed from the repository until the author fixes the issue. Please uninstall until the author releases a fix.

WP-CopySafe-Web and WP-CopySafe-PDF plugins have a serious Zero Day shell upload vulnerability. Scripts that exploit this vulnerability are being sold on hacker sites and first appeared 3 days ago.

We have tested and verified that having the current version of either plugin installed in your WordPress installation will allow anyone, registered or not, to upload arbitrary files to your WordPress site. This allows a hacker to upload a PHP shell to exploit your system.

The specific issue in both plugins is that the author uses the “Uploadify” library which is notorious for exposing file upload vulnerabilities and in this case it allows unauthenticated users to upload arbitrary files. We verified we could upload a file via cURL without any authentication and sending no cookies.

We have notified the author of the plugins and hope the author will release a fix soon. In the mean time, please immediately remove both plugins from your site.

Note that normally we would wait for the author to release a fix before notifying the general public, but because hackers are already distributing exploit scripts for this vulnerability, we decided that the prudent course of action is to immediately notify the subscribers of our WordPress Security mailing list (sign-up at the bottom of our home page). We don’t see why hackers should have an unfair advantage while you wait for the author to fix the security hole.

Did you enjoy this post? Share it!

Comments

2 Comments
  • The Plugin I use is WP-CopyProtect (not WP CopySafe Web or WP CopySafe PDF). Is this plugin also affected?

    Regards
    Herbert

    • I literally glanced at the code and it looks safe if it's this one you're using:

      http://plugins.svn.wordpress.org/wp-copyprotect/tags/3.0.0/

      Regards,

      Mark.