Title: WPPA upload.php Last modified: August 30, 2016 --- # WPPA upload.php * [edtorrey](https://wordpress.org/support/users/edtorrey/) * (@edtorrey) * [10 years, 8 months ago](https://wordpress.org/support/topic/wppa-uploadphp/) * Oppa First, let me say you are one of the most prolific developers I have every seen. And you have produced a first class application. Kudos to you sir. * Now my question. An international commercial site I support has been hacked twice with malware. The perpetrator is injecting html and php pages to facilitate boosting search results. * Not yet sure how their getting in but it looks like via an uploader php vulnerability. * Does WPPA+ use any form of background upload from your server that would transparently take place outside the Plugin Upgrade process? * [https://wordpress.org/plugins/wp-photo-album-plus/](https://wordpress.org/plugins/wp-photo-album-plus/) Viewing 3 replies - 1 through 3 (of 3 total) * Plugin Author [Jacob N. Breetvelt](https://wordpress.org/support/users/opajaap/) * (@opajaap) * [10 years, 8 months ago](https://wordpress.org/support/topic/wppa-uploadphp/#post-6619694) * There is a frontend upload procedure to upload photos ( .jpg, ,gif and .png ). See wppa-functions.php line 3964: * ``` // Subroutine to upload one file in the frontend function wppa_do_frontend_file_upload( $file, $alb ) { . . ``` * This function will produce an error on non-image files. * If you install the [current development version](https://downloads.wordpress.org/plugin/wp-photo-album-plus.zip)( or later version 6.3.7 ) the front-end uploads using this function will be logged, so you can see what file when by who is uploaded. * See the Log list in Photo ALbums -> Settinhgs admin page Table VIII-C1. * Maybe this will help you to find out what is happening. * Thread Starter [edtorrey](https://wordpress.org/support/users/edtorrey/) * (@edtorrey) * [10 years, 8 months ago](https://wordpress.org/support/topic/wppa-uploadphp/#post-6619733) * Jacob, I wasn’t so much worried about what users were doing on the front-end, I was more concerned with what WPPA did on the backend, and transparent to human actions, whether by administrator or front-end user. * We’re sorting through malware encroachment that has us looking at any page with a name that implies upload capability. * In my question, I was looking for a simple yes or no really. Does WPPA employ any form of download from WPPA or other server, adding to server-side content, transparently to admin or user, and outside the “install or update plugin” action? * Plugin Author [Jacob N. Breetvelt](https://wordpress.org/support/users/opajaap/) * (@opajaap) * [10 years, 8 months ago](https://wordpress.org/support/topic/wppa-uploadphp/#post-6619755) * > Does WPPA employ any form of **download** from WPPA or other server, * You are confusing me now, i assume you mean **upload**? * – The Upload page ( Photo Albums -> Upload photos ) * – The Import page ( Photo Albums -> Import photos ) * – On the Photo Albums -> Settings admin page items Table IX-F4 and F9 * If you find any potential vulnerability, please do not mention it here, but mail me: opajaap at opajaap dot nl Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘WPPA upload.php’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/wp-photo-album-plus.svg) * [WP Photo Album Plus](https://wordpress.org/plugins/wp-photo-album-plus/) * [Frequently Asked Questions](https://wordpress.org/plugins/wp-photo-album-plus/#faq) * [Support Threads](https://wordpress.org/support/plugin/wp-photo-album-plus/) * [Active Topics](https://wordpress.org/support/plugin/wp-photo-album-plus/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wp-photo-album-plus/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wp-photo-album-plus/reviews/) * 3 replies * 2 participants * Last reply from: [Jacob N. Breetvelt](https://wordpress.org/support/users/opajaap/) * Last activity: [10 years, 8 months ago](https://wordpress.org/support/topic/wppa-uploadphp/#post-6619755) * Status: not resolved