Security vulnerability in older Mantra versions

Mantra Zed December 12th, 2012 December 8th, 2020

It has come to our attention that there’s a security vulnerability in older Mantra version.

The affected versions are 1.7.7 to 1.8.9.1. No other versions are affected.

If you are running any of these versions, please update as soon as possible.

The vulnerability could allow an attacker to upload a malformed image file in the mantra/uploads folder and potentially execute arbitrary code on the server.

If you are unable to update due to various modifications/customizations you have performed on the theme. delete the mantra/admin/upload-file.php file to remove the vulnerability. (Note that this will prevent you from changing your favicon image in the future)

In both cases, also check the files in mantra/uploads folder and make sure your installation hasn’t been compromised. If you find any suspicious files:

non-image files
image files which you do not remember to have uploaded
weirdly named image files
image files with double extensions

delete them immediately, and check your entire hosting account / server to make sure no other files have been compromised.

Mantra is a clean, highly configurable and totally free WordPress theme. For more info check out the theme's page.

Written by

Zed

The analytical brain of Cryout Creations. Responsible for all the wires and tubes. Dedicates most time to testing/breaking features and tracking bugs but never enough to patching things up.

7 Comments

Judy

December 25th, 2012 at 19:12 12 years ago

What happened to the HTML Preview? I only have Visual and Text tabs now
I am used to working in HTML when I have a problem to correct.

I am using Mantra 1.9.9.3
1. Zed
  
  December 27th, 2012 at 02:26 12 years ago
  
  What HTML Preview?
techblogmaster

December 20th, 2012 at 09:46 12 years ago

i installed this theme…but it is showing many php errors…can you send me an older version link of this? thanks in advance..:)
1. Zed
  
  December 21st, 2012 at 15:35 12 years ago
  
  What version of Mantra and WordPress are you using? What PHP version is your server using? And what php errors?
  You can find all Mantra versions here.
Peter

December 20th, 2012 at 00:48 12 years ago

Thanks for the heads up too
Susan Glover

December 15th, 2012 at 01:52 12 years ago

I had my server shut down for spam generated by the Mantra upload file day before yesterday! Hopefully deleting that file clears up the problem until I can create a child theme and upgrade! Thanks for the heads up!
Lee McNulty

December 13th, 2012 at 23:05 12 years ago

I have 1992 version of Mantra and I am having all sorts of weird trouble with it. One of which….I changed a list of categories to articles Side header… saved the changes on the dashboard, listed the articles, published the articles and it won’t appear on the list on front page. My deleted list deleted, but the one I put in it’s place won’t appear.. Now when I put in a new post is comes on front page as well., in place of featured article. A default was set up to appear when I didn’t categorize an article. I need to changed that. Went in changed it, saved changes and it goes right back to automatic category and it won’t let me changed that. It seems I cannot change much of anything. This version has been a sore disappointment. Don’t know what to do. Do you think I could the same trouble with this version as well?