URGENT OJS 3.X Security Issue!

This morning we received info from the official PKP email that informs us about the security issue found on OJS 3.X (before 3.3.0-5).
The security issue was found from the third-party script, to be precise from the Plupload script.

The Plupload is used by OJS (before 3.3.0-5) for handling the upload process. This is have been discussed on the library GitHub page which can be found here:

This is the preview of the broadcast that we have received :

Click the image to show the full version

Note this security bug also affected OPS (3.x) and OMP (<

How this vulnerability can be abused!

To shed a light on this matter, we have tried a simulation on our server to test this alarming matter and we explain recap the steps here :

1. Create an html file on any server

Add the following content to that file:

    <form action="http://someOJSURL.com/lib/pkp/lib/vendor/moxiecode/plupload/examples/upload.php" method="post" enctype="multipart/form-data">
        Select image to upload:
        <input type="file" name="file" id="fileToUpload">
        <input type="submit" value="Upload Image" name="submit">

Save that file

2. Open the file and upload any file

after the hacker has created the file, he can upload any malicious file to that form and after uploading a file to that form and sending it by submitting the form, it will show this response.

means that the upload process is succeed

The uploaded file will be uploaded in the server’s temporary file location with the additional folder plupload on that temporary folder. If the server does not have any traversal folder protection, then it can access that malicious file and will do anything to your OJS system from accessing the database, injecting some cryptocurrency miner, sending any virus file with a zipped form to any of the users of your OJS, stealing any information from your OJS or use all the information including user data on your server for illegal purpose.

This threat is a very serious issue considering the danger the result is very concerning, we recommend that you immediately upgrade or perform patching actions on your OJS. Keep following this article since we will explain the step for doing such an activity.

How you can fix this issue

To fix this issue, you can do it with two methods.

1. Upgrade your OJS (very recommended)
2. Removing the concerning file.

1. Upgrade OJS to the latest version

Just a few days ago (7 Apr 2021), PKP released the new version of OJS 3. It is OJS 3.3.0-5, this latest release has to fix the above vulnerability and as a bonus, you also have got the fix and improvement from the previous version of OJS. Upgrading your OJS also protects you from the still unknown issue from the previous version of your OJS.

The list of previous vulnerabilities on OJS 3 version

For complete the OJS 3.3.0-5’s Changelog, pay attention to this list :

3.3.0-5 Build
	#6910: Use proper identification when issuing HTTP requests
	#6892: View more accessible button label is broken in 3.3
	#6888: Ensure Composer dependency test/example code is safe
	#6886: crossrefReferenceLinking plugin: consider all references settings
	#6879: Site settings not visible for usage statistics plugin when only one context exists
	#6873: Saving the Website - Appearance - Setup form auto-focuses on Homepage Image Alt Text field
	#6872: Article links broken after update to 3.3.0-4
	#6871: Session destruction (and duplicate) warnings in the PHP error log
	#6870: SQL logic error in upgrade when using PostgreSQL
	#6862: Author name is not localized in How-to-Cite citation
	#6757: Supported form locales can be serialized as associative array

You can follow this guide: https://openjournaltheme.com/how-to-upgrade-ojs-3 to help you with detailed instructions for upgrading your OJS. Considering that this upgrade process is urgent we also provide a discount if you need our service for upgrading your OJS with 40% off the initial price on our service for upgrading the OJS 3 version to the latest one. Please use the coupon URGENTUPGRADE (only valid until 21 April 2021).

Access our upgrade service here :

2. Removing the concerning file

As we have tested the vulnerability on the simulation in our server, we found out that this is caused by an example file left by the Plupload which is the primary purpose is to help developers for implementing the library on their code environment. Unfortunately, this example file opens a door for hackers to upload some malicious files on the server, and many of the developers are unaware of this script’s availability.

Although this removing step is not recommended since we believe that by upgrading your OJS you have protected your current live version with various disclosed other vulnerabilities. However, this step is also very important to be done. The step for removing the file is explained here :

Access to your Cpanel / Server

Go to the folder


Please find the file in that folder named upload.php and remove it right away!

If you have any code caching such as OPCache on your server, don’t forget to restart your PHP-FPM service.

That’s it, choose which method is right for you and do it now before everything will be late

Before we end this, it is also worth mentioning that you should consider improving the security of your OJS by following this step that we have explained in this dedicated article:


About the Author

Project Manager

Hendra here, I love writing about OJS and share knowledge about OJS. My passion is about OJS, OMP platform and doing some research on creating innovated products for that platform to help publisher to improve their publication.

Leave a Comment

Your email address will not be published. Required fields are marked *

Need More Services  or Question?

Openjournaltheme.com started in 2016 by a passionate team that focused to provide affordable OJS, OMP,  OPS,  Dspace, Eprints products and services. Our mission to help publishers to be more focus on their content research rather than tackled by many technical OJS issues.

Under the legal company name :
Inovasi Informatik Sinergi Inc.

Secure Payment :

All the client’s financial account data is stored in the respective third-party site (such as Paypal, Wise and Direct Payment).
*Payment on Credit card can be done by request
Your financial account is guaranteed protection. We never keep any of the clients’ financial data.