## https://sploitus.com/exploit?id=0D750076-D636-5A6C-9280-769278FDE7CD
# WebStack – WordPress Navigation Theme (Security Enhanced Version)
This WordPress navigation theme based on [owen0o0/WebStack](https://github.com/owen0o0/WebStack) has all known high-risk security vulnerabilities fixed in this version. ## Differences from the original version
The original theme had 5 security vulnerabilities (2 severe, 2 high-risk, 1 medium-risk). All these vulnerabilities have been fixed in this repository:
| Vulnerability Number | Severity | File | Type | Status |
| --- | --- | --- | --- | --- |
| VULN-01 | 🔴 Severe | `inc/ajax.php` | Unauthorized file upload (could lead to RCE) | ✅ Fixed |
| VULN-02 | 🔴 Severe | `inc/img-upload.php` | Legacy upload script accessible directly | ✅ Fixed (file deleted) |
| VULN-03 | 🟠 High-risk | `inc/ajax.php` | Unauthorized attachment deletion | ✅ Fixed |
| VULN-04 | 🟠 High-risk | `go.php` | Open redirection + HTML injection | ✅ Fixed |
| VULN-05 | 🟡 Medium-risk | `search-tool.php` | Confused eval() JavaScript code | ✅ Fixed |
Detailed descriptions of the vulnerabilities can be found in [SECURITY-AUDIT.md](./SECURITY-AUDIT.md). Solutions to the issues are described in [SECURITY-FIX-SUMMARY.md](./SECURITY-FIX-SUMMARY.md). ## Main fixes
**VULN-01 / VULN-03 – `inc/ajax.php`**
- Removed `wp_ajax_nopriv_*` hooks; upload/deletion functions are limited to logged-in users only.
- Added `check_ajax_referer()` nonce validation to prevent CSRF attacks.
- The allowlist for file extensions is changed from “defined but unused” to actually performing `in_array()` checks.
- Server-side PHP `finfo` is used to verify the real MIME type of files; client-side Content-Type is not trusted.
- `wp_handleUpload()` is used instead of bare `rename()`, which passes through WordPress’s built-in security filters.
- Attachment deletion now includes ownership verification; users can only delete images they uploaded.
**VULN-02 – `inc/img-upload.php`**
- Legacy scripts are deprecated and have been completely removed from the theme.
**VULN-04 – `go.php`**
- Uses `filter_var(..., FILTER_VALIDATE_URL)` to validate the of decoded URLs.
- `parse_url()` is used to restrict schemes to `http`/`https`; dangerous protocols like `javascript:` are blocked.
- Output is safely escaped using WordPress’s `esc_url()` function.
**VULN-05 – `search-tool.php`**
- The JS Packer obfuscation code has been replaced with plain-readable JavaScript equivalent to its functionality.
## Installation instructions
1. Download the repository ZIP file or use `git clone`.
2. Upload the theme folder to WordPress’s `wp-content/themes/` directory.
3. Enable **WebStack** in WordPress’s backend settings under “Appearance → Themes”.
4. Follow the original documentation to import and configure the navigation data.
## Additional server-level enhancements (strongly recommended)
Prevent the `uploads` directory from executing PHP commands in Nginx as an additional layer of defense:
```nginx
location ~* /wp-content/uploads/.*\.php$ {
deny all;
return 403;
}
```
For Apache, create a `.htaccess` file in `wp-content/uploads/`:
```apache
Require all denied
```
## Original theme
- Original repository: [owen0o0/WebStack](https://github.com/owen0o0/WebStack)
- Original author: [iowen](https://www.iowen.cn/)
- Theme version: 1.1824
## License
The security fixes follow the same licensing terms as the original theme.