Share
## https://sploitus.com/exploit?id=0D750076-D636-5A6C-9280-769278FDE7CD
# WebStack – WordPress Navigation Theme (Security Enhanced Version)

This WordPress navigation theme based on [owen0o0/WebStack](https://github.com/owen0o0/WebStack) has all known high-risk security vulnerabilities fixed in this version. ## Differences from the original version

The original theme had 5 security vulnerabilities (2 severe, 2 high-risk, 1 medium-risk). All these vulnerabilities have been fixed in this repository:

| Vulnerability Number | Severity | File | Type | Status |
| --- | --- | --- | --- | --- |
| VULN-01 | 🔴 Severe | `inc/ajax.php` | Unauthorized file upload (could lead to RCE) | ✅ Fixed |
| VULN-02 | 🔴 Severe | `inc/img-upload.php` | Legacy upload script accessible directly | ✅ Fixed (file deleted) |
| VULN-03 | 🟠 High-risk | `inc/ajax.php` | Unauthorized attachment deletion | ✅ Fixed |
| VULN-04 | 🟠 High-risk | `go.php` | Open redirection + HTML injection | ✅ Fixed |
| VULN-05 | 🟡 Medium-risk | `search-tool.php` | Confused eval() JavaScript code | ✅ Fixed |

Detailed descriptions of the vulnerabilities can be found in [SECURITY-AUDIT.md](./SECURITY-AUDIT.md). Solutions to the issues are described in [SECURITY-FIX-SUMMARY.md](./SECURITY-FIX-SUMMARY.md). ## Main fixes

**VULN-01 / VULN-03 – `inc/ajax.php`**
- Removed `wp_ajax_nopriv_*` hooks; upload/deletion functions are limited to logged-in users only.
- Added `check_ajax_referer()` nonce validation to prevent CSRF attacks.
- The allowlist for file extensions is changed from “defined but unused” to actually performing `in_array()` checks.
- Server-side PHP `finfo` is used to verify the real MIME type of files; client-side Content-Type is not trusted.
- `wp_handleUpload()` is used instead of bare `rename()`, which passes through WordPress’s built-in security filters.
- Attachment deletion now includes ownership verification; users can only delete images they uploaded.

**VULN-02 – `inc/img-upload.php`**
- Legacy scripts are deprecated and have been completely removed from the theme.

**VULN-04 – `go.php`**
- Uses `filter_var(..., FILTER_VALIDATE_URL)` to validate the of decoded URLs.
- `parse_url()` is used to restrict schemes to `http`/`https`; dangerous protocols like `javascript:` are blocked.
- Output is safely escaped using WordPress’s `esc_url()` function.

**VULN-05 – `search-tool.php`**
- The JS Packer obfuscation code has been replaced with plain-readable JavaScript equivalent to its functionality.

## Installation instructions

1. Download the repository ZIP file or use `git clone`.
2. Upload the theme folder to WordPress’s `wp-content/themes/` directory.
3. Enable **WebStack** in WordPress’s backend settings under “Appearance → Themes”.
4. Follow the original documentation to import and configure the navigation data.

## Additional server-level enhancements (strongly recommended)

Prevent the `uploads` directory from executing PHP commands in Nginx as an additional layer of defense:

```nginx
location ~* /wp-content/uploads/.*\.php$ {
 deny all;
 return 403;
}
```

For Apache, create a `.htaccess` file in `wp-content/uploads/`:

```apache
Require all denied
```

## Original theme

- Original repository: [owen0o0/WebStack](https://github.com/owen0o0/WebStack)
- Original author: [iowen](https://www.iowen.cn/)
- Theme version: 1.1824

## License

The security fixes follow the same licensing terms as the original theme.