"Vulnerability Exposed in WordPress Plugin User Submitted Posts"

Security researchers at Patchstack have discovered a new vulnerability in the User Submitted Posts WordPress plugin (versions 20230902 and below).  With over 20,000 active installations, this popular plugin is used for user-generated content submissions and is developed by Plugin Planet.  The researchers noted that the vulnerability has been assigned CVE-2023-45603.  According to the researchers, this plugin suffers from an unauthenticated arbitrary file upload vulnerability.  The flaw resides in the plugin’s handling of uploaded files, particularly in the “usp_attach_images” function.  The researchers noted that unauthenticated users could exploit this vulnerability by uploading files with PHP code embedded, which would then execute on the server, potentially compromising the website’s security.  The researchers discovered the flaw in September 2023, and a patch was issued by Plugin Planet two days later.  The issue has been addressed in the latest plugin release, version 20230914.  Users are strongly advised to update their installations immediately to protect their websites from this serious security threat.

Infosecurity reports: "Vulnerability Exposed in WordPress Plugin User Submitted Posts"