CVE-2023-51475
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files to WordPress sites running the WP MLM SOFTWARE PLUGIN. Attackers can upload malicious files like PHP shells to gain complete control of affected websites. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WP MLM SOFTWARE PLUGIN (WordPress plugin)
📦 What is this software?
Wp Mlm Unilevel by Wpmlmsoftware
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, website defacement, and use as attack platform for further attacks.
Likely Case
Website takeover with backdoor installation, credential theft, and malware distribution to visitors.
If Mitigated
File upload attempts blocked at WAF level with no successful exploitation.
🎯 Exploit Status
Simple HTTP POST request with malicious file upload. Public exploit details available on security research sites.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 4.0 (check plugin repository for latest)
Vendor Advisory: https://patchstack.com/database/vulnerability/wp-mlm/wordpress-wp-mlm-unilevel-plugin-4-0-unauthenticated-arbitrary-file-upload-vulnerability
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP MLM SOFTWARE PLUGIN. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin immediately.
🔧 Temporary Workarounds
WAF File Upload Blocking
allConfigure web application firewall to block file uploads to vulnerable plugin endpoints
WAF-specific configuration - block POST requests to */wp-content/plugins/wp-mlm/* with file uploads
File Permission Restrictions
linuxSet restrictive permissions on wp-content/uploads directory to prevent PHP execution
chmod 755 /path/to/wordpress/wp-content/uploads
Add 'php_flag engine off' to .htaccess in uploads directory
🧯 If You Can't Patch
- Immediately deactivate and remove the WP MLM SOFTWARE PLUGIN from all WordPress installations
- Implement strict file upload validation at application level and monitor for suspicious upload attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for WP MLM SOFTWARE PLUGIN version 4.0 or earlierCheck Version:
wp plugin list --name='WP MLM SOFTWARE PLUGIN' --field=version (WP-CLI) or check plugin details in WordPress adminVerify Fix Applied:
Verify plugin is either updated to version after 4.0 or completely removed from plugins directory📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to wp-content/plugins/wp-mlm/ with file uploads
- Unauthenticated file upload attempts
- Creation of suspicious PHP files in uploads directory
Network Indicators:
- Unusual file upload traffic to WordPress plugin paths
- POST requests with multipart/form-data to vulnerable endpoints
SIEM Query:
source="web_server" AND (uri_path="*wp-mlm*" AND http_method="POST" AND content_type="multipart/form-data")🔗 References
- https://patchstack.com/database/vulnerability/wp-mlm/wordpress-wp-mlm-unilevel-plugin-4-0-unauthenticated-arbitrary-file-upload-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/wp-mlm/wordpress-wp-mlm-unilevel-plugin-4-0-unauthenticated-arbitrary-file-upload-vulnerability?_s_id=cve
