via pluginvulnerabilities.com => original post link
When it comes to vulnerabilities in WordPress plugins, one of the most serious types is an arbitrary file upload vulnerability. That type of vulnerability would allow anyone to upload any type of file to the website. Hackers usually exploit that to upload .php files, as they can run arbitrary code on the website through that. That would allow them to add malware or spam to the website, allow them to send spam email or attack other websites, as well as other assorted activity.
To help to better understand what is going wrong, that leads to such a vulnerability and how those issues can be avoided, let’s break down a vulnerability of that type we spotted last month being introduced in to a plugin that comes directly from WordPress. [Read more]