WordPress OptimizePress unrestricted file upload
Description
The OptimizePress WordPress theme contains an unrestricted file upload vulnerability in the wp-content/themes/OptimizePress/lib/admin/media-upload.php file. This file lacks proper authentication and file type validation, allowing unauthenticated attackers to upload arbitrary files, including malicious PHP scripts, to the web server. Once uploaded, these files can be executed remotely, giving attackers control over the affected system.
Remediation
Immediately remove the vulnerable file wp-content/themes/OptimizePress/lib/admin/media-upload.php from your web server. After removal, verify that no malicious files have been uploaded by reviewing recently created files in the uploads directory and other writable locations. Update to the latest version of OptimizePress or migrate to a supported, actively maintained theme. Additionally, implement the following security measures:
1. Search for and remove any suspicious files that may have been uploaded through this vulnerability
2. Review web server access logs for evidence of exploitation
3. Change all WordPress administrator passwords and database credentials
4. Install a web application firewall (WAF) to help prevent similar attacks
5. Regularly update all WordPress themes, plugins, and core files to their latest versions