First of all I did not discover this vulnerability. It was bought to my attention by a friend of mine, Sam Steele (@samsteele__). I simply tested it, created a proof-of-concept and talked to the extension developers and the Magento security team to try to get a fix issued.
My friend found the vulnerability at the beginning of October 2018. He reported the issue to FME Extensions, the extension developers, and they didn't respond.
After testing the issue I reported it, along with a POC, to the Magento security team who acted very swiftly and professionally. Magento removed the extension from their marketplace and a few weeks later they contacted me to say that FME have issued a fix. Checking the FME website showed that the latest version was still 2.5.2 which is the vulnerable version so to my knowledge they still hadn't fixed the issue.
I reported this back to Magento. Contacting FME Extensions myself resulted in a fairly swift response from their support team saying that they were releasing a fixed version that week. As of today this version on their website is still at 2.5.2 and, as far as I'm aware, is still vulnerable.
I believe that FME have had plenty of time to fix the issue and release a new version of their extension but have failed to do so. Whilst it's always a risk publicly disclosing a vulnerability that's not been patched it's also important that people are able to protect their Magento stores until FME are willing to release an updated version which is why I now think it's time to release some details.
Vulnerability reported to FME: 5/10/18
Vulnerability reported to Magento: 17/10/18
Extension removed from Magento Marketplace: ~19/10/18
Magento reported back that FME had released an updated version: 28/11/18
I responded to Magento saying that the latest version is still 2.5.2: 3/12/18
Magento responded saying they would re-remove it from the Marketplace: 3/12/18
I contacted FME personally about the un-patched extension: 3/12/18
FME responded saying they were releasing a new version "this week": 5/12/18
Releasing these details: 8/1/19 (~3 months after first reporting to FME)
Extension / version: FME Product Attachments
Extension version tested: 2.5.2
Magento version tested: 184.108.40.206
Vulnerability level: Critical
If you are using this extension on your store then I'd strongly recommend that you remove it until FME release an updated version.
Until this extension is patched it's best to remove it from your store.