For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers, ZDNet has learned.

Exploit described in YouTube videos jQuery File Upload has been vulnerable for eight years, since the Apache 2.3.9 release in 2010.

jQuery File Upload is a is a user-contributed open-source package for software developers that describes itself as a “file upload widget with multiple file selection, drag-and-drop support ...