Title: [Plugin: Visual Form Builder] File upload vulnerability? Last modified: August 20, 2016 --- # [Plugin: Visual Form Builder] File upload vulnerability? * Resolved [Tom Auger](https://wordpress.org/support/users/tomauger/) * (@tomauger) * [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-visual-form-builder-file-upload-vulnerability/) * Sorry, what a pain, right? I notice that you’re not changing the uploaded file’s filename at all, and are just storing it in the uploads folder. Doesn’t this open up a massive vulnerability, since you’re letting anonymous users upload a file, possibly spoofed, and then immediately access that file, now on the server, in an easily guessable location? * What if the uploaded file were a webshell? * Okay, you enforce a file extension check, but I don’t know if that’s a 100% guarantee against an executable upload. * Please note the relatively recent vulnerability that struck MMForms, and is the reason that plugin is now blacklisted on many sites. * My recommendation is to hash the filename, or at least create a new folder for each upload with an unguessable, unique hash. That way an anonymous user can’t just upload a file and then access it immediately without any verification / validation at all. hackers notwithstanding, imagine someone (ab)using the upload form to upload questionable material and then immediately guessing and posting a link to that material to a file sharing site? Suddenly your plugin’s admin is unwittingly hosting a shared file without even knowing it! * Something to consider. You may want to simply remove the file upload field for now until you have that issue addressed. * [http://wordpress.org/extend/plugins/visual-form-builder/](http://wordpress.org/extend/plugins/visual-form-builder/) Viewing 5 replies - 1 through 5 (of 5 total) * [kenrichman](https://wordpress.org/support/users/kenrichman/) * (@kenrichman) * [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-visual-form-builder-file-upload-vulnerability/#post-3111207) * No guessing required; the URL is contained within the email that the user gets a copy of. It’s really not ideal for the files to be stored in the uploads folder. * Thread Starter [Tom Auger](https://wordpress.org/support/users/tomauger/) * (@tomauger) * [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-visual-form-builder-file-upload-vulnerability/#post-3111208) * Even scarier. I haven’t checked to see whether the upload form uses nonces or not, but if not, there could be a real hole here. * Plugin Author [Matthew Muro](https://wordpress.org/support/users/mmuro/) * (@mmuro) * [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-visual-form-builder-file-upload-vulnerability/#post-3111209) * > Please note the relatively recent vulnerability that struck MMForms * My code is not even remotely close to how they uploaded files. * > Even scarier. I haven’t checked to see whether the upload form uses nonces > or not, but if not, there could be a real hole here. * Maybe you should look before spreading FUD. * > It’s really not ideal for the files to be stored in the uploads folder. * You are welcome to change this. Here’s a [tutorial on how to customize the upload directory](http://matthewmuro.com/2012/05/22/visual-form-builder-pro-customize-the-upload-directory/). * [kenrichman](https://wordpress.org/support/users/kenrichman/) * (@kenrichman) * [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-visual-form-builder-file-upload-vulnerability/#post-3111210) * Thanks for the tutorial – I have made this change and it works, I can now upload to a different directory. * Thread Starter [Tom Auger](https://wordpress.org/support/users/tomauger/) * (@tomauger) * [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-visual-form-builder-file-upload-vulnerability/#post-3111211) * Hey Matt, I’m sorry if my comments appeared to be defamatory. I can tell from your responses that you’re upset. That was not my intention. * I don’t know what FUD is, but I guess it’s not a nice acronym. At any rate, I accept that I haven’t checked too deeply into your code, but then again, you could have just explained how your code is structured to prevent security issues. * Not trying to bust your chops. Just looking at ways to improve your already great plugin. * Be well, * Tom Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘[Plugin: Visual Form Builder] File upload vulnerability?’ is closed to new replies. * ![](https://ps.w.org/visual-form-builder/assets/icon-256x256.png?rev=1205840) * [Visual Form Builder](https://wordpress.org/plugins/visual-form-builder/) * [Frequently Asked Questions](https://wordpress.org/plugins/visual-form-builder/#faq) * [Support Threads](https://wordpress.org/support/plugin/visual-form-builder/) * [Active Topics](https://wordpress.org/support/plugin/visual-form-builder/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/visual-form-builder/unresolved/) * [Reviews](https://wordpress.org/support/plugin/visual-form-builder/reviews/) ## Tags * [exploit](https://wordpress.org/support/topic-tag/exploit/) * [file upload](https://wordpress.org/support/topic-tag/file-upload/) * 5 replies * 3 participants * Last reply from: [Tom Auger](https://wordpress.org/support/users/tomauger/) * Last activity: [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-visual-form-builder-file-upload-vulnerability/#post-3111211) * Status: resolved