[wp-trac] [WordPress Trac] #24728: Provide option to disable / remove swfupload

WordPress Trac noreply at wordpress.org
Sat Nov 18 12:31:59 UTC 2017

#24728: Provide option to disable / remove swfupload
 Reporter:  msaffitz     |       Owner:
     Type:  enhancement  |      Status:  reopened
 Priority:  normal       |   Milestone:
Component:  Upload       |     Version:
 Severity:  major        |  Resolution:
 Keywords:  needs-patch  |     Focuses:
Changes (by bilalakil):

 * status:  closed => reopened
 * resolution:  maybelater =>
 * severity:  normal => major


 Hi there, bringing this back up due to a recent incident on my WordPress
 site. It was hacked somehow and a foreign PHP file turned up at wp-
 includes/js/swfupload/ukqdwrmx.php, and started spamming people the
 webhost shut down my site.

 I didn't check the contents of that file before I deleted it (which I
 regret - would've been interesting).

 While this is just a guess, it might be the case that this deprecated
 swfupload thingy has had a vulnerability revealed in the last few years,
 and is now being exploited. If this is true, it might be a matter of
 urgency to remove it from WordPress.

 This suspicious code snippet indicates that it may indeed be used as an
 exploit: https://packetstormsecurity.com/files/121348/SWFUpload-CSRF-XSS-

 You can see the following example URLs:

 Concerning that it's also in some plugins...

 I'm not the most educated on this matter, but just wanted to bring the
 topic back up for consideration.


Ticket URL: <https://core.trac.wordpress.org/ticket/24728#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list