Uploadify Security Issue
Are you using the WordPress Newsletter plugin or WordPress Shopping Cart plugin? If you are, please continue to read this as it is an important security announcement which affects all users.
We are sorry to inform you that the Uploadify script used in the Newsletter plugin and Shopping Cart plugin has caused security issues for our users and some sites were hacked. Please note that this is not the fault of Uploadify but rather a flaw in the implementation on our side.
Update: New versions of the Newsletter plugin and Shopping Cart plugin have been uploaded to the Tribulant Software website. Please get them from your downloads section.
What happened exactly?
The Uploadify script is used in the two plugins mentioned for their file upload custom fields so that your users can upload files using Ajax (without page refresh) to upload files accordingly.
The file that handles the upload is
wp-checkout/vendors/uploadify/upload.php where the posted file data is taken and the file is moved to
wp-content/uploads/wp-checkout/uploadify/ where they are accessible.
Hackers have exploited the
upload.php script which handles the upload, uploaded files to the two destinations mentioned above and executed the scripts accordingly through the browser.
How do we fix this?
We have already applied fixes in our latest builds and will be releasing them shortly. In the meanwhile, please handle this on your side since you have an insecure installation.
Please see the Making Uploadify Secure article which was recently posted by Uploadify with instructions on making the script secure against hackers. Go through the points to secure the problem.
If you don’t use any file upload custom fields in the plugins, please just completely delete
If you are using file upload custom fields and you don’t want to lose this functionality, go to
wp-content/uploads/wp-checkout/uploadify and put a blank index.php file in there so the content cannot be seen. Also create a .htaccess file in that directory with the following in it:
deny from all
Options All -Indexes
This .htaccess file will make the directory where files are uploaded inaccessible to the public so that if any scripts are indeed uploaded to that location that they cannot be executed to perform malicious actions.
We apologize for any inconvenience and trouble caused by this! We hope that this blog post reaches everyone quickly and we assure you that we are releasing versions with a security update shortly.
I am the owner at Tribulant Software and I have a great passion for WordPress, development, blogging and the Internet in general. Building useful plugins to improve WordPress’ functionality is my goal.
Start selling products, sending newsletters, publishing ads, and more through your own WordPress website using our premium WordPress plugins.
Thank you for your comment, Matt.
We are sorry for any inconvenience and/or trouble caused by this problem and we hope that you will upgrade and continue to use the plugin.
We are selling our plugins commercially thus we are not distributing them as open-source on WordPress.org for that reason.
Thank you for understanding!
This plugin introduced a very serious vulnerability on our site, so I’m glad to hear that you have addressed the problem. But the issue would have been addressed much more quickly had you made your source code available and added it to the WordPress repository. I urge you to consider becoming part of the open-source WordPress ecosystem that would allow greater inspection of your code and thus greater security for those using it.
For our part, we will be very reluctant to purchase plugins that do not participate in the wider WordPress community because of the security vulnerabilities that black-boxed plugins can introduce to our site.