Unauthenticated Remote Code Execution in e-signature plugin

During a recent audit we discovered an unauthenticated remote code execution in the plugin e-signature. All versions less than 1.5.6.8 are vulnerable.

Disclosure / Response Timeline

  • January 08, 2021: Initial contact.
  • January 11, 2021: Patch is live.

Current State of the Vulnerability

Unauthenticated vulnerabilities are very serious because they can be easily automated. We strongly encourage e-signature users to update their plugin to version 1.5.6.8 as soon as possible. Unfortunately this vulnerability is already being exploited.

Attacks in the wild

If you have older versions of this plugin installed and see requests to /wp-admin/admin-ajax.php?action=sif_upload_file your site may have already been compromised. The most recent attack is uploading the following malicious files:

  • wp-contact.php
  • coder.php

Because of the nature of the vulnerability, specifically its severity, we will not be disclosing additional details.

New posts to your inbox.

0 Comments