CVE-2013-1916
📋 TL;DR
The User Photo WordPress plugin version 0.9.4 has insufficient file upload validation, allowing attackers to upload malicious PHP files disguised as images. This vulnerability affects any WordPress site running the vulnerable plugin version, enabling remote code execution even before uploaded files are approved by administrators.
💻 Affected Systems
- WordPress User Photo Plugin
📦 What is this software?
User Photo by User Photo Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary code, steal data, install persistent backdoors, or pivot to other systems.
Likely Case
Website defacement, data theft, or installation of cryptocurrency miners or botnet clients on vulnerable servers.
If Mitigated
No impact if plugin is updated or removed, or if file uploads are disabled through other security controls.
🎯 Exploit Status
Exploit code is publicly available and requires minimal technical skill to execute. Attackers can upload malicious files without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.9.5 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/347137
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'User Photo' plugin. 4. Click 'Update Now' if available. 5. If no update is available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable User Photo Plugin
allDeactivate and remove the vulnerable plugin from WordPress
wp plugin deactivate user-photo
wp plugin delete user-photo
Restrict File Uploads
linuxBlock PHP file uploads via web server configuration
# For Apache: Add to .htaccess: <FilesMatch "\.(php|php5|phtml)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# For Nginx: Add to server block: location ~ \.php$ { deny all; }
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block malicious file uploads containing PHP code
- Disable file upload functionality entirely in WordPress settings or through server configuration
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for 'User Photo' plugin version 0.9.4 or earlierCheck Version:
wp plugin list --name=user-photo --field=versionVerify Fix Applied:
Verify plugin version is 0.9.5 or later, or confirm plugin is not installed📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /wp-content/uploads/userphoto/ directory
- POST requests to upload.php with non-image file extensions
- Execution of unexpected PHP files from upload directories
Network Indicators:
- HTTP POST requests with file uploads to WordPress upload endpoints from unexpected sources
- Outbound connections from WordPress server to suspicious IPs after file uploads
SIEM Query:
source="web_server_logs" AND (uri_path="/wp-content/plugins/user-photo/upload.php" OR uri_path CONTAINS "/wp-content/uploads/userphoto/") AND (http_method="POST" OR response_code=200)