During a recent audit we discovered an unauthenticated remote code execution in the plugin e-signature. All versions less than 220.127.116.11 are vulnerable.
Disclosure / Response Timeline
- January 08, 2021: Initial contact.
- January 11, 2021: Patch is live.
Current State of the Vulnerability
Unauthenticated vulnerabilities are very serious because they can be easily automated. We strongly encourage e-signature users to update their plugin to version 18.104.22.168 as soon as possible. Unfortunately this vulnerability is already being exploited.
Attacks in the wild
If you have older versions of this plugin installed and see requests to /wp-admin/admin-ajax.php?action=sif_upload_file your site may have already been compromised. The most recent attack is uploading the following malicious files:
Because of the nature of the vulnerability, specifically its severity, we will not be disclosing additional details.