File Type Allowed being ignored – Security Risk

  • I have the free version installed, and am only allowing PDF and ZIP files to be uploaded. The plugin seems to be ignoring that though. I was able to upload a .php script and execute it without issue which as far as I’m concerned is a huge security risk. (This all came about after I noticed my site was compromised – and I’ve found two php files that have been uploaded to the /wp-content/uploads/contact_files/ directory where user submitted files are kept).

    After some further investigation is seems this is a well known exploit within the hacking community and is being targeted quite a bit. A quick google search for “N-Media Website Contact Form with File Uploader hack” will bring you to dozens of results showing how to exploit this security flaw. Please fix this as it is a high level security risk

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author N-Media

    (@nmedia)

    Hi,

    we have fixed this issue in our very last version/update 1.6.

    I didn’t know there was a newer version of this. I have 1.3.3 and have been finding php files in contact_files but there was no notification of files being uploaded.

    Isn’t there a way to update in the WP dashboard? If not, if I remove the old version and put the new one in, will my forms and settings be retained?

    Plugin Author N-Media

    (@nmedia)

    Please upgarde to latest version and it wont’ effect your settings

    Is it not possible to update in wordpress, or do I have to delete and replace in FTP?

    Also, the version I had has “Modified by Ces” as part of the name. Is that anything that matters?

    Thanks!

    Plugin Author N-Media

    (@nmedia)

    Hi,

    well you should have seen an update notice in WP dashboard. Make sure your updates are not off. Otherwise you have to update via FTP.

    If there is only name change then np. Just replace.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘File Type Allowed being ignored – Security Risk’ is closed to new replies.