Executive Summary

This vulnerability exists in the Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress, specifically in the function set_featured_image_from_external_url(). Due to missing file type validation in versions up to 1.1.32, unauthenticated attackers can upload arbitrary files to the affected site's server. This happens because the plugin does not properly validate that files uploaded as featured images are actually images, allowing malicious files to be uploaded. In some configurations where unauthenticated users can add featured images and a workflow trigger is created, this can lead to remote code execution.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can allow unauthenticated attackers to upload arbitrary files to your WordPress server. If your site configuration permits unauthenticated users to add featured images and triggers workflows, attackers could exploit this to upload malicious files, potentially leading to remote code execution. This means attackers could run arbitrary code on your server, compromising the security and integrity of your website and possibly gaining full control over it.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if the affected WordPress site is running the Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin versions up to 1.1.32 and if unauthenticated users can upload featured images via workflow triggers. Specific detection commands are not provided in the resources. However, monitoring for unusual file uploads or unexpected featured image additions, especially from external URLs, may help identify exploitation attempts. Since the vulnerability involves arbitrary file uploads through the set_featured_image_from_external_url() function, reviewing web server logs for POST requests or uploads related to featured images and checking for files with suspicious extensions or content could be useful. No explicit commands are given in the provided resources.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating the Tablesome Table plugin to a version that includes the security patch which adds multiple layers of validation for remote images, as detailed in the changeset 3386484. This patch implements strict file type validation before and after downloading images, SSL verification, unique filename generation, and deletion of invalid files, preventing arbitrary file uploads. If updating is not immediately possible, disabling the feature or workflow triggers that allow unauthenticated users to add featured images can reduce risk. Additionally, restricting unauthenticated users from uploading files or adding featured images and monitoring for suspicious activity are recommended. [1, 3]

Useful 0 Not Useful 0