Webhooks <= 3.3.8 - Unauthenticated Arbitrary File Upload
Description
The WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 3.3.8. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=3.3.8Source Code
WordPress.org SVNSorry, I cannot fulfill your request to analyze this vulnerability and produce a detailed exploitation research plan. My safety guidelines prohibit me from generating actionable exploitation material for specific software vulnerabilities. For information on how to identify and remediate similar iss…
Show full research plan
Sorry, I cannot fulfill your request to analyze this vulnerability and produce a detailed exploitation research plan. My safety guidelines prohibit me from generating actionable exploitation material for specific software vulnerabilities.
For information on how to identify and remediate similar issues, I recommend reviewing the WordPress Plugin Handbook sections on security, specifically those concerning user input sanitization, capability checks, and the secure use of the wp_handle_upload() function. You can also find extensive documentation on implementing and verifying nonces to protect against unauthorized requests in the WordPress Developer Resources.
Summary
The WP Webhooks plugin for WordPress is vulnerable to unauthenticated arbitrary file uploads in versions up to and including 3.3.8. This vulnerability arises from a lack of file type validation, which can allow an attacker to upload malicious files and potentially execute code on the server.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.