planetree

The file was definitely uploaded through the plugin, it’s in the log.

Whatever function you’re using to verify the extension is obviously unsuitable. If you’re operating in a PHP environment then you’d think that checking a file for the string “<?php” if it’s anything other than a .php extension file would be the bare minimum! As an FYI, I did try uploading the file on the section of our site where we write the code, where we use the Codeigniter framework, and it correctly rejected the file, so if you’re looking for code that does the job right you need look no further than that.

Let’s be clear, there is at least one malicious actor out there that is actively searching for instances of your plug-in and uploading malicious code. In the face of that it is absolutely irrelevant if WordPress is to blame and the fact that you “use the default WordPress functions” absolves you of no blame now that you know it’s an issue. Like I said, at a minimum you should write some code to reject any file with “<?php” in it, that would take you 2 minutes to do and it’s almost malpractice not to have already done so.

If you provide the URL of your WordPress site with your plugin installed I’m happy to demo crashing it by uploading the file I described. Just let me know a good time so you can delete the file and bring it back up again quickly.

• This reply was modified 6 years, 2 months ago by planetree.