A critical Arbitrary File Upload vulnerability has been identified in the Thumbnail Slider With Lightbox plugin. This vulnerability could allow a malicious actor to upload any type of file to the website, including backdoors that could be used to gain further access to the website.

Ala Arfaoui discovered and reported this vulnerability.

This vulnerability is caused by a flaw in the way that the Thumbnail Slider With Lightbox plugin handles file uploads. The vulnerability allows an attacker to exploit a flaw in the plugin’s code to upload any type of file to the affected website.

Severity

Critical (CVSS 3.1 score of 10.0)

Affected Versions

All versions of the Thumbnail Slider With Lightbox plugin prior to 1.0.1

Impact

If a malicious actor is able to exploit this vulnerability, they could:

  • Upload any type of file to your website, including backdoors, viruses, or phishing scripts.
  • Execute these malicious files on the website, potentially leading to data theft, website defacement, or denial of service attacks.

Recommendation

Immediate action is required to mitigate this critical vulnerability:

  • Update immediately: Update the Thumbnail Slider With Lightbox plugin to the latest available version (at least 1.0.1). This vulnerability has been fixed in version 1.0.1.
  • Vulnerability Assessment: After the update, perform a thorough vulnerability assessment to confirm that the Arbitrary File Upload vulnerability has been effectively eradicated.
  • Security Auditing: Regularly audit the website’s security measures to detect any potential threats promptly.
  • User Communication: Notify the site’s users and administrators about the plugin update and its security implications. Promote strong authentication practices, including password changes.
  • Ongoing Vigilance: Keep a vigilant eye out for future updates, advisories, or patches related to the Thumbnail Slider With Lightbox Plugin, and ensure their prompt application.