CVE-2022-1103: 
WordPress vulnerability analysis and mitigation

The Advanced Uploader WordPress plugin through version 4.2 contains a vulnerability identified as CVE-2022-1103. The vulnerability was discovered by Roel van Beurden and publicly disclosed on April 19, 2022. This security issue affects the WordPress plugin 'advanced-uploader' and allows any authenticated users with subscriber-level privileges to upload arbitrary files, including PHP files (WPScan, CVE Mitre).

The vulnerability exists in the file upload functionality of the Advanced Uploader plugin. Authenticated users, including those with minimal privileges such as subscribers, can upload arbitrary files through the path '/wp-admin/upload.php?page=adv-file-upload'. The uploaded files, including potentially malicious PHP files, are stored in the WordPress uploads directory at 'wp-content/uploads/2022/03/.php' (WPScan).

The vulnerability allows authenticated users to upload arbitrary files, including PHP files, which could potentially lead to Remote Code Execution (RCE) on the affected WordPress installation. This presents a significant security risk as even users with minimal privileges could potentially execute malicious code on the server (WPScan).

As of the vulnerability disclosure, there is no known fix available for this security issue. Website administrators using the Advanced Uploader plugin version 4.2 or below should consider disabling the plugin or implementing additional security controls to restrict file upload capabilities (WPScan).