It has come to our attention that there’s a security vulnerability in older Mantra version.
The affected versions are 1.7.7 to 1.8.9.1. No other versions are affected.
If you are running any of these versions, please update as soon as possible.
The vulnerability could allow an attacker to upload a malformed image file in the mantra/uploads folder and potentially execute arbitrary code on the server.
If you are unable to update due to various modifications/customizations you have performed on the theme. delete the mantra/admin/upload-file.php file to remove the vulnerability. (Note that this will prevent you from changing your favicon image in the future)
In both cases, also check the files in mantra/uploads folder and make sure your installation hasn’t been compromised. If you find any suspicious files:
- non-image files
- image files which you do not remember to have uploaded
- weirdly named image files
- image files with double extensions
delete them immediately, and check your entire hosting account / server to make sure no other files have been compromised.
