Nov 24 2004

ImageManager plugin for WordPress is INSECURE!!!

Published by at 10:23 am under PHP

This is an old article and the information contained within it may be out of date, not reflect my current views and/or contain broken links. If you feel this article is still valid and requires updating, you can use the contact form to let me know. However, I make no guarantee that it will get updated.

I have just been playing around with my own website to see what I can and can’t do as a general “Joe Public” user. It turns out that with the basic installation of the ImageManager plugin that is available for the WordPress blogging system it is possible for anyone to upload, edit or even delete pictures from the server.

I haven’t played enough to see if it is possible to run malicious code on the server yet… but I’m sure it wouldn’t be that difficult.

Needless to say I have disabled the plugin on this blog, so don’t even try it!!!!

One response so far