A few weeks back I posted a warning on our site for users who used the Clockstone WordPress theme,
to remove it from their sites until CMSMasters had a chance to patch their theme(s). The flaw was a
file upload vulnerability, that allowed anyone to access a victim's site, by uploading whatever files they
wanted to the site. The nature of the flaw was not isolated to their Clockstone theme alone, so I worked
with CMSMasters to wait until they had a chance to patch this and their other themes as well. The code
that allowed this attack to happen, was in several files which did not require user authentication from
logged in WordPress users, and anyone visiting the url directly would be able to execute the script
directly.
After a successful attack, you would see on your screen the name of your uploaded file in hash form,
which would be located in the same path as the upload script if using the code above. You can choose
pretty much anywhere to upload the file to though. This file was an MD5 hashed name, ending in the
file extension of the file you uploaded, but the script echoed back the file name, so it was easy to see
where your file was when done.
The vulnerable code in their theme was as follows:
