WordPress Uploadify Vulnerability

Woke up this morning and saw a post by ITPixie regarding uploadify vulnerabilities in multiple WordPress themes and plugins.   One of the themes was one I remember looking at using, so took a quick trip to the computer to make sure those files weren’t on my server. (fortunately, they weren’t).

Uploadify is used by WordPress themes and plugin to upload files. There is a vulnerability that allows malicious files to be uploaded. This is caused by improper checking of the file extension on the uploaded file.

This isn’t a new issue.  Securi commented on uploadify specifically back in the TimThumb craze.   Like TimThumb, Uploadify needs WordPress admin awareness and possibly actions by hosting providers.

WordPress users can search for uploadify.php, although the file name may be different.
There are also lists of known vulnerable plugins and themes here and here.

I would also suggest looking at WordPress security layers.   While Incapsula detected TimThumb, I’m really not sure their free plan does much beyond block spam now.   I’ll have to ask.   Same with Cloudflare.   On the WordPress side there are a number of security plugins.