CVE-2020-36706: 
WordPress vulnerability analysis and mitigation

The Simple:Press WordPress Forum Plugin versions up to 6.6.0 contains a critical vulnerability (CVE-2020-36706) that allows arbitrary file uploads due to missing file type validation. The vulnerability was discovered by Jerome Bruandet from NinTechNet and was publicly disclosed on September 25, 2020. The issue affects the plugin's file upload functionality in the ~/admin/resources/jscript/ajaxupload/sf-uploader.php file (NinTechNet Blog, WPScan).

The vulnerability stems from a broken access control issue in the plugin's AJAX actions handling. The uploader action is accessible to all users, authenticated or not, and lacks proper capability checks and security nonces. The function only attempts to verify file types using exif_imagetype, which can be bypassed by prepending GIF magic bytes to malicious PHP files. The vulnerability has received a CVSS v3.1 score of 9.8 (Critical) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NinTechNet Blog, Wordfence).

The vulnerability allows attackers to upload arbitrary files to the affected sites' servers, potentially leading to remote code execution. This could enable unauthorized access, privilege escalation, and complete server compromise. The impact is particularly severe as the vulnerability can be exploited without authentication (Acunetix).

The vulnerability was fixed in version 6.6.1, released on September 18th, 2020. Site administrators are strongly advised to upgrade immediately if running version 6.6.0 or below. Users of NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium) are protected against this vulnerability (NinTechNet Blog).