CVE-2017-16949 in AccessKeys AccessPress Anonymous Post Pro Plugin
Summary
by MITRE
An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. Improper input sanitization allows the attacker to override the settings for allowed file extensions and upload file size, related to inc/cores/file-uploader.php and file-uploader/file-uploader-class.php. This allows the attacker to upload anything they want to the server, as demonstrated by an action=ap_file_upload_action&allowedExtensions[]=php request to /wp-admin/admin-ajax.php that results in a .php file upload and resultant PHP code execution.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/11/2025
This vulnerability exists within the AccessKeys AccessPress Anonymous Post Pro plugin version 3.1.9 and earlier for WordPress, representing a critical security flaw that undermines the plugin's file upload validation mechanisms. The issue stems from improper input sanitization in the file upload functionality, specifically within the inc/cores/file-uploader.php and file-uploader/file-uploader-class.php components. Attackers can exploit this weakness by manipulating the allowedExtensions parameter through the admin-ajax.php endpoint, effectively bypassing the intended file type restrictions that should prevent malicious file uploads.
The technical implementation of this vulnerability allows attackers to manipulate the file upload process by crafting requests with action=ap_file_upload_action and specifying allowedExtensions[]=php parameters. This manipulation directly overrides the plugin's built-in security controls that are designed to restrict file uploads to safe extensions only. The flaw operates at the input validation layer where the plugin fails to properly sanitize user-supplied parameters, creating a path for arbitrary file execution. This represents a classic case of insufficient input validation and sanitization that directly maps to CWE-20, which addresses improper input validation in software systems.
The operational impact of this vulnerability is severe and potentially catastrophic for affected WordPress installations. Successful exploitation enables attackers to upload malicious PHP files to the server, which immediately grants them code execution capabilities. This allows for complete compromise of the affected system, including potential data exfiltration, lateral movement within the network, and establishment of persistent backdoors. The vulnerability is particularly dangerous because it operates through the WordPress admin interface, which is often accessible to authenticated users, making it easier to exploit in real-world scenarios. The attack vector demonstrates the ATT&CK technique T1059.007 for Command and Scripting Interpreter: PowerShell, though in this case it involves PHP code execution rather than PowerShell, representing a similar threat model of executing arbitrary code on the target system.
The implications extend beyond immediate code execution, as this vulnerability can be leveraged for privilege escalation and persistent access within the compromised environment. Attackers can upload web shells or other malicious payloads that provide ongoing access to the system, making this a particularly concerning flaw for organizations running vulnerable WordPress installations. The lack of proper parameter validation in the file upload process creates an attack surface that directly violates security best practices and represents a failure in the principle of least privilege. Organizations should immediately implement mitigations including plugin updates, input validation hardening, and monitoring for suspicious file upload activities. The vulnerability also highlights the importance of proper security testing and code review processes to identify such flaws before they can be exploited in the wild, as it demonstrates how a single input sanitization failure can completely undermine the security of an entire plugin ecosystem.