During a recent audit we discovered an unauthenticated remote code execution in the plugin e-signature. All versions less than 1.5.6.8 are vulnerable.
Disclosure / Response Timeline
- January 08, 2021: Initial contact.
- January 11, 2021: Patch is live.
Current State of the Vulnerability
Unauthenticated vulnerabilities are very serious because they can be easily automated. We strongly encourage e-signature users to update their plugin to version 1.5.6.8 as soon as possible. Unfortunately this vulnerability is already being exploited.
Attacks in the wild
If you have older versions of this plugin installed and see requests to /wp-admin/admin-ajax.php?action=sif_upload_file your site may have already been compromised. The most recent attack is uploading the following malicious files:
- wp-contact.php
- coder.php
Because of the nature of the vulnerability, specifically its severity, we will not be disclosing additional details.