WordPress Plugin Vulnerabilities

WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution (RCE)

Description

WP Support Plus Responsive Ticket System <= 8.0.7 allows anyone to upload PHP files with extensions like ".phtml", ".php4", ".php5", and so on, all of which are run as if their extension was ".php" on most hosting platforms.

This is because "includes/admin/attachment/uploadAttachment.php" contains this code:

switch ($extension){
case 'exe':
case 'php':
case 'js':
$isError=true;
$errorMessege=__('Error: file format not supported!','wp-support-plus-responsive-ticket-system');

But it does not check for other extensions like ".phtml". In addition, it saves the file with a predictable name based on the timestamp, and anyone can load the file and run the code it contains.

Plugin author notified 2017-11-09.

Proof of Concept

Affects Plugins

Plugin icon
wp-support-plus-responsive-ticket-system
Fixed in 8.0.8

References

URL
https://plugins.trac.wordpress.org/changeset/1763596/wp-support-plus-responsive-ticket-system

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94

Miscellaneous

Submitter
Robert Mathews
Submitter website
https://tigertech.net/
Submitter twitter
@TigerTech
Verified
No
WPVDB ID
1527b75a-362d-47eb-85f5-47763c75b0d1

Timeline

Publicly Published
2017-11-11 (about 8 years ago)
Added
2017-11-12 (about 8 years ago)
Last Updated
2020-03-08 (about 6 years ago)

Other

Published
Title
Published
2024-02-13
Title
Bricks < 1.9.6.1 - Unauthenticated Remote Code Execution
Published
2025-09-05
Title
Rehub < 19.9.8 - Unauthenticated Arbitrary Shortcode Execution via re_filterpost
Published
2022-02-22
Title
Transposh WordPress Translation < 1.0.8 - Admin+ RCE
Published
2014-08-01
Title
Zingiri Web Shop <= 2.2.3 - ajax_file_cut.php selectedDoc Parameter Remote PHP Code
Published
2025-09-16
Title
WP Import – Ultimate CSV XML Importer for WordPress 7.20 - 7.28 - Authenticated (Subscriber+) Remote Code Execution via Code Injection