For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers, ZDNet has learned.

The vulnerability impacts the jQuery File Upload plugin authored by prodigious German developer Sebastian Tschan, most commonly known as Blueimp.

The plugin is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular, has been forked over 7,800 times, and has been integrated into hundreds, if not thousands, of other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on.

A vulnerability in this plugin would be devastating, as it could open gaping security holes in a lot of platforms installed in a lot of sensitive places.

This worse case scenario is exactly what happened. Earlier this year, Larry Cashdollar, a security researcher for Akamai’s SIRT (Security Intelligence Response Team), has discovered a vulnerability in the plugin’s source code that handles file uploads to PHP servers.

Cashdollar says that attackers can abuse this vulnerability to upload malicious files on servers, such as backdoors and web shells.

Source: Zero-day in popular jQuery plugin actively exploited for at least three years | ZDNet