Back to Articles

Arbitrary File Vulnerabilities And Why They Matter to Your Website

By Tony Perez (@perezbox) Posted in: website-security

Our last article explored trends we were seeing against WordPress and something became very evident — Arbitrary File Vulnerabilities ranked #1 for vulnerabilities being scanned for. Although the scope of our tests was limited, the data helps defenders better understand the tactics, techniques and procedures (TTP) being employed by bad actors.

Why Arbitrary File Vulnerabilities Matter

Of all the vulnerability classes, why are arbitrary file vulnerabilities so prominent? To better understand, we need a clear view of this family. While people often cite only “download” and “upload,” the class is broader:

Class Type Basic Description Severity
Arbitrary File Read The ability to view file contents (e.g., directory traversal/indexing allowing unintended reads). Moderate
Arbitrary File Execute Executing files on the server; commonly overlaps with Remote Code Execution (RCE). Critical
Arbitrary File Download Downloading files from the server (e.g., attackers attempting to fetch wp-config.php). Moderate
Arbitrary File Upload Uploading files to the server. If execution is possible, this becomes significantly more dangerous. High

Things get especially tricky when vulnerabilities are daisy-chained. An arbitrary file download alone is annoying but manageable. Combine download + upload, and risk grows. Add remote execution and you have a serious incident on your hands.

Exploiting GET Requests

Arbitrary file vulnerabilities present attackers with opportunities to take control of sites or exfiltrate sensitive data. It’s why zero-day disclosures (like the 2021 Fancy Product Designer issue) are rapidly adopted into scanners. The first wave of probes often uses simple GET requests to verify the presence of files/endpoints:

[02/Jun/2021:07:26:33 +0000] "GET /wp-content/plugins/fancy-product-designer/assets/jssocials/jssocials.css HTTP/1.1" 404 20943 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36"

GET is a favorite because the risk of detection is low and most sites must allow it for normal browsing. It lets attackers confirm whether targets exist before moving to exploitation. For upload-type bugs, checks often target known static assets (e.g., CSS) to confirm plugin presence before attempting an upload route. For download-type bugs, probes go straight for sensitive files—e.g., wp-config.php, .env, VCS metadata, Dockerfiles, etc.

GET requests are “quiet” by design — they power page views. That makes them ideal for reconnaissance without tripping crude alarms.

Using a WAF to Virtually Patch at the Edge

Zero-days highlight the value of a Web Application Firewall (WAF): when no patch exists yet, WAF rules can mitigate attack traffic immediately. With the NOC WAF, common exploit attempts are blocked at the edge even if the site is vulnerable:

2021-06-02 15:17:14 88.198.91.76 403 199 HIT waf:exploit_blocked3 GET /blog/wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php HTTP/1.1 88.198.91.76 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36
2021-06-02 13:58:03 88.198.91.76 301 166 HIT waf:exploit_blocked3 GET /wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php HTTP/1.1 88.198.91.76 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36

This gives website owners peace of mind while developers work on fixes — a win-win that reduces exposure during the most dangerous window.

NOC — Authoritative DNS, CDN & WAF

Accelerate and protect your sites with global DNS, edge caching, and an always-on web application firewall.

See Plans