WordPress Vulnerability: ShortPixel Enable Media Replace Plugin!
The Enable Media Replace Plugin by ShortPixel, it enables users to update images very easily, without having to delete the old image and then upload the updated version with the same file name.
The vulnerability allows users with publishing privileges to upload arbitrary files, including PHP shells, which can be used to execute code and take control of the website. The issue appears to be related to the fact that the plugin does not properly check the file type when users upload image files, which can be exploited by attackers to bypass the security controls. Given that the plugin is installed in over 600,000 websites, it’s important that site owners take immediate action to address the vulnerability.
- The first step is to check if the plugin is installed and, if so, to update it to the latest version as soon as possible.
- ShortPixel has released a patched version of the plugin (version 3.5.3) that addresses the vulnerability, so updating to this version is essential.
- In addition to updating the plugin, it’s also a good idea to review the permissions and privileges of users who have access to the site, especially those who have publishing privileges.
- Site owners should also consider implementing additional security measures, such as using a web application firewall and conducting regular security scans to identify any other vulnerabilities or malicious activity.
Overall, Enable Media Replace Plugin highlights the importance of keeping all software and plugins up to date, and regularly reviewing user permissions and security controls to protect against potential attacks. try to use and share your opinions!