Our last article explored trends we were seeing against WordPress and something became very evident — Arbitrary File Vulnerabilities ranked #1 for vulnerabilities being scanned for. Although the scope of our tests was limited, the data helps defenders better understand the tactics, techniques and procedures (TTP) being employed by bad actors.
Why Arbitrary File Vulnerabilities Matter
Of all the vulnerability classes, why are arbitrary file vulnerabilities so prominent? To better understand, we need a clear view of this family. While people often cite only “download” and “upload,” the class is broader:
| Class Type | Basic Description | Severity |
|---|---|---|
| Arbitrary File Read | The ability to view file contents (e.g., directory traversal/indexing allowing unintended reads). | Moderate |
| Arbitrary File Execute | Executing files on the server; commonly overlaps with Remote Code Execution (RCE). | Critical |
| Arbitrary File Download | Downloading files from the server (e.g., attackers attempting to fetch wp-config.php). |
Moderate |
| Arbitrary File Upload | Uploading files to the server. If execution is possible, this becomes significantly more dangerous. | High |
Things get especially tricky when vulnerabilities are daisy-chained. An arbitrary file download alone is annoying but manageable. Combine download + upload, and risk grows. Add remote execution and you have a serious incident on your hands.
Exploiting GET Requests
Arbitrary file vulnerabilities present attackers with opportunities to take control of sites or exfiltrate sensitive data. It’s why zero-day disclosures (like the 2021 Fancy Product Designer issue) are rapidly adopted into scanners. The first wave of probes often uses simple GET requests to verify the presence of files/endpoints:
[02/Jun/2021:07:26:33 +0000] "GET /wp-content/plugins/fancy-product-designer/assets/jssocials/jssocials.css HTTP/1.1" 404 20943 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36"
GET is a favorite because the risk of detection is low and most sites must allow it for normal browsing. It lets attackers
confirm whether targets exist before moving to exploitation. For upload-type bugs, checks often target known static assets
(e.g., CSS) to confirm plugin presence before attempting an upload route. For download-type bugs, probes go straight for
sensitive files—e.g., wp-config.php, .env, VCS metadata, Dockerfiles, etc.
Using a WAF to Virtually Patch at the Edge
Zero-days highlight the value of a Web Application Firewall (WAF): when no patch exists yet, WAF rules can mitigate attack traffic immediately. With the NOC WAF, common exploit attempts are blocked at the edge even if the site is vulnerable:
2021-06-02 15:17:14 88.198.91.76 403 199 HIT waf:exploit_blocked3 GET /blog/wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php HTTP/1.1 88.198.91.76 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.362021-06-02 13:58:03 88.198.91.76 301 166 HIT waf:exploit_blocked3 GET /wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php HTTP/1.1 88.198.91.76 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36This gives website owners peace of mind while developers work on fixes — a win-win that reduces exposure during the most dangerous window.
NOC — Authoritative DNS, CDN & WAF
Accelerate and protect your sites with global DNS, edge caching, and an always-on web application firewall.
See Plans