CVE-2022-1103
📋 TL;DR
The Advanced Uploader WordPress plugin through version 4.2 contains an unrestricted file upload vulnerability that allows any authenticated user (including low-privileged subscribers) to upload arbitrary files, including PHP files. This can lead to remote code execution (RCE) on the web server. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Advanced Uploader WordPress Plugin
📦 What is this software?
Advanced Uploader by Advanced Uploader Project
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full control of the WordPress server, can execute arbitrary commands, steal data, install backdoors, and pivot to other systems.
Likely Case
Attacker uploads a web shell and gains persistent access to the server, potentially compromising the entire WordPress installation and associated data.
If Mitigated
With proper file type validation and server-side restrictions, malicious uploads are blocked, limiting impact to failed upload attempts.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once credentials are obtained. Public exploit scripts are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.1 or later
Vendor Advisory: https://wpscan.com/vulnerability/9ddeef95-7c7f-4296-a55b-fd3304c91c18
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Advanced Uploader plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 4.2.1+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the Advanced Uploader plugin until patched.
wp plugin deactivate advanced-uploader
Restrict File Uploads via .htaccess
linuxBlock execution of uploaded PHP files in the upload directory.
Add to .htaccess in wp-content/uploads/: <FilesMatch "\.php$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove the Advanced Uploader plugin completely from the WordPress installation.
- Implement strict file upload validation at the web application firewall (WAF) level to block PHP file uploads.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Advanced Uploader version. If version is 4.2 or earlier, it is vulnerable.Check Version:
wp plugin get advanced-uploader --field=versionVerify Fix Applied:
Verify plugin version is 4.2.1 or later in WordPress admin panel. Test file upload functionality with non-whitelisted file types to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to wp-content/uploads/ directory, especially .php files from non-admin users.
- HTTP POST requests to upload endpoints with suspicious file extensions.
Network Indicators:
- POST requests to /wp-content/plugins/advanced-uploader/upload.php with PHP file uploads.
SIEM Query:
source="web_server" AND (url_path="/wp-content/plugins/advanced-uploader/upload.php" AND method="POST" AND file_extension="php")