CVE-2022-1939
📋 TL;DR
The Allow svg files WordPress plugin before version 1.1 has improper file upload validation, allowing administrators to upload PHP files even when file upload restrictions are in place. This vulnerability affects WordPress sites using the vulnerable plugin version, potentially enabling remote code execution.
💻 Affected Systems
- Allow svg files WordPress plugin
📦 What is this software?
Allow Svg Files by Allow Svg Files Project
⚠️ Risk & Real-World Impact
Worst Case
Administrator uploads malicious PHP file leading to complete server compromise, data theft, and website defacement.
Likely Case
Compromised administrator account uploads web shell, enabling persistent backdoor access and lateral movement.
If Mitigated
With proper file upload restrictions and admin account security, impact limited to plugin functionality bypass.
🎯 Exploit Status
Exploitation requires admin credentials. Simple file upload bypass technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1
Vendor Advisory: https://wpscan.com/vulnerability/4d7b62e1-558b-4504-a6e2-78246a8b554f
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Allow svg files' plugin. 4. Update to version 1.1 or later. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Allow svg files plugin until patched
wp plugin deactivate allow-svg-files
Restrict file uploads via .htaccess
linuxBlock PHP file uploads in WordPress uploads directory
Add to .htaccess in wp-content/uploads: <Files *.php> deny from all </Files>
🧯 If You Can't Patch
- Implement strict file upload validation at web server level
- Restrict admin account access and implement multi-factor authentication
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Allow svg files → Version number. If version < 1.1, vulnerable.Check Version:
wp plugin get allow-svg-files --field=versionVerify Fix Applied:
Confirm plugin version is 1.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- PHP file uploads to wp-content/uploads directory
- Admin user uploading unusual file types
- Web server executing PHP from uploads directory
Network Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php with file upload parameters
- HTTP requests to suspicious PHP files in uploads directory
SIEM Query:
source="web_server" AND (uri="/wp-admin/admin-ajax.php" AND method="POST" AND file_upload="*.php") OR (uri="/wp-content/uploads/*.php")