We had several reports about the possible vulnerability in Types (seems that it just went public in Plesk, linking back to patchstack): hidden link. So, here are our findings about this issue:
This report has limited details, but unless there is something extra, it appears to be a non-issue. Because it says that administrators can upload arbitrary files, presumably that relates to the File field type, for uploading and storing files. Editing a post and uploading files to the file field uses the WordPress Media Uploader, and it determines the allowable file types (mostly images, videos, audio, and documents), which excludes executables like .php files. Therefore, this is not arbitrary.
Moreover, site administrators can override this by setting the constant ALLOW_UNFILTERED_UPLOADS to true in wp-config.php. Absent further details, it doesn't appear to be a vulnerability from our perspective.
We have already released a new version for Types 3.4.18, which includes a fix for this "vulnerability". You can update either from the downloads page, or may need to click the "Check for updates" button in Plugins -> Add New -> Commercial tab.
I hope that everything is clear and solved now. Thank you!
