CVE-2023-0477
📋 TL;DR
The Auto Featured Image WordPress plugin before version 3.9.16 contains an insecure AJAX endpoint that allows authenticated users with Author privileges or higher to upload arbitrary files, including PHP files, due to insufficient file extension validation. This vulnerability affects WordPress sites using vulnerable versions of the plugin. Attackers can exploit this to upload malicious files and potentially execute arbitrary code on the server.
💻 Affected Systems
- Auto Featured Image (Auto Post Thumbnail) WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server compromise, data theft, defacement, or ransomware deployment.
Likely Case
Unauthorized file upload leading to backdoor installation, website defacement, or malware distribution.
If Mitigated
Limited impact if proper file upload restrictions and web application firewalls are in place.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.16
Vendor Advisory: https://wpscan.com/vulnerability/e5ef74a2-e04a-4a14-bd0e-d6910cd1c4b4
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Auto Featured Image' plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 3.9.16+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Auto Featured Image plugin until patched.
wp plugin deactivate auto-featured-image
Restrict file uploads via .htaccess
linuxBlock PHP file uploads in WordPress uploads directory.
<FilesMatch "\.(php|php5|php7|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove Author and higher privileges from untrusted users
- Implement web application firewall rules to block suspicious file uploads
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is below 3.9.16, site is vulnerable.Check Version:
wp plugin get auto-featured-image --field=versionVerify Fix Applied:
Confirm plugin version is 3.9.16 or higher after update.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=apt_ajax_upload
- File uploads with .php extensions in uploads directory
- Unauthorized file creation in wp-content/uploads
Network Indicators:
- HTTP POST requests with file uploads to AJAX endpoints
- Unusual file upload patterns from Author-level accounts
SIEM Query:
source="web_server" AND (uri_path="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="apt_ajax_upload")