In December 2020, researchers for WordFence disclosed three security vulnerabilities to the authors of the Responsive Menu WordPress plugin. After nearly a month and an escalation to the WordPress Plugins team, WordFence was finally able to get a point of contact.
The first of the three flaws enabled authenticated attackers to upload a zip file which could allow an eventual remote code execution. Although an attacker needs to be authenticated, the account can be any level of user such as a subscriber. Once authenticated, an attacker can craft a request to upload a zip file containing PHP scripts which are automatically extracted. These scripts could then be accessed by the attacker to trigger code execution. The other two vulnerabilities discovered by WordFence allowed an attacker to craft a request that would allow them to modify settings for the Responsive Menu plugin, which then allowed arbitrary file uploads.
After a month from the initial time of discovery, ExpressTech patched the vulnerabilities and made a new version of the plugin available for download on January 19th. Although a patch has been made available, BleepingComputer notes that around 50,000 sites could still be exposed after tracking the number of downloads since the patch was released.