CVE-2024-6132 Overview
The Pexels: Free Stock Photos plugin for WordPress contains an arbitrary file upload vulnerability due to missing file type validation in the pexels_fsp_images_options_validate function. This security flaw affects all versions up to and including 1.2.2, allowing authenticated attackers with contributor-level or higher permissions to upload arbitrary files to the affected WordPress site's server, potentially enabling remote code execution.
Critical Impact
Authenticated attackers can upload malicious files such as PHP web shells to WordPress sites, potentially achieving full remote code execution and complete site compromise.
Affected Products
- Pexels: Free Stock Photos WordPress Plugin versions up to and including 1.2.2
- WordPress sites with the vulnerable plugin installed
- Any WordPress installation where users have contributor-level or above permissions
Discovery Timeline
- 2024-06-19 - CVE-2024-6132 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-6132
Vulnerability Analysis
This arbitrary file upload vulnerability stems from a critical oversight in input validation within the WordPress plugin's settings handling mechanism. The pexels_fsp_images_options_validate function in settings.php fails to properly validate uploaded file types, creating a dangerous security gap that authenticated users can exploit.
The vulnerability is particularly concerning because it requires only contributor-level access—a relatively low privilege level in WordPress that is commonly granted to content creators and guest authors. Once exploited, an attacker can upload executable PHP files or other malicious content directly to the server's file system.
Root Cause
The root cause of this vulnerability is the absence of file type validation in the pexels_fsp_images_options_validate function located in the plugin's settings.php file at line 239. The function processes file uploads without checking the file extension, MIME type, or content, allowing any file type to be uploaded to the server. This represents a fundamental violation of secure file upload practices where all user-supplied files should be validated against an allowlist of permitted file types.
Attack Vector
The attack is network-based and requires authentication with at least contributor-level permissions. An attacker would first need to obtain valid WordPress credentials for an account with sufficient privileges. Once authenticated, the attacker can exploit the vulnerable file upload functionality to submit malicious files disguised as legitimate content.
A typical attack scenario involves uploading a PHP web shell through the plugin's interface. Because the pexels_fsp_images_options_validate function does not verify file types, the malicious PHP file is accepted and stored on the server. The attacker can then directly access the uploaded file via its URL, executing arbitrary code with the web server's privileges.
The vulnerability allows attackers to bypass WordPress's built-in security mechanisms that normally prevent unauthorized file types from being uploaded, as the plugin implements its own flawed file handling logic.
Detection Methods for CVE-2024-6132
Indicators of Compromise
- Presence of unexpected PHP files in the WordPress upload directories or plugin folders
- Web server access logs showing requests to unusual file paths within the Pexels plugin directory
- New or modified files with suspicious extensions in /wp-content/uploads/ or plugin directories
- Unusual POST requests to the plugin's settings endpoints from contributor-level accounts
Detection Strategies
- Monitor file system changes in WordPress directories for newly created PHP files or files with executable extensions
- Implement web application firewall (WAF) rules to detect and block file upload attempts containing PHP code or other executable content
- Review WordPress audit logs for settings changes made by contributor-level users
- Deploy file integrity monitoring to detect unauthorized modifications to plugin directories
Monitoring Recommendations
- Enable detailed logging for WordPress plugin activities, particularly file upload operations
- Configure alerts for new file creations in web-accessible directories with executable permissions
- Monitor for outbound connections from the web server that may indicate web shell activity
- Regularly audit user accounts with contributor-level or higher permissions for suspicious activity
How to Mitigate CVE-2024-6132
Immediate Actions Required
- Update the Pexels: Free Stock Photos plugin to the latest patched version immediately
- Audit all files in WordPress upload directories and plugin folders for suspicious or unexpected file types
- Review and restrict contributor-level account permissions where possible
- Temporarily disable the plugin if an update is not immediately available
Patch Information
Organizations should update the Pexels: Free Stock Photos WordPress plugin to a version newer than 1.2.2 that includes proper file type validation. The patch should be available through the WordPress plugin repository. Administrators can review the vulnerable code at the WordPress Plugin Code Reference and consult the Wordfence Vulnerability Report for additional details.
Workarounds
- Temporarily deactivate and remove the Pexels: Free Stock Photos plugin until a patched version can be installed
- Implement server-side file upload restrictions to block PHP and other executable file types in upload directories
- Add .htaccess rules to prevent PHP execution in WordPress upload directories
- Restrict contributor-level account creation and review existing accounts with elevated permissions
# Add to .htaccess in wp-content/uploads/ to prevent PHP execution
<FilesMatch "\.php$">
Order Allow,Deny
Deny from all
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
