logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

123ContactForm for WordPress <= 1.5.6 - Unauthenticated Arbitrary File Upload

Description

Attackers could use the Unauthenticated Arbitrary Post Creation issue (https://wpscan.com/vulnerability/d3ef5644-1044-492f-ac23-ea90b32f1e77) to also upload a PHP file via the cfp_upload_image() function which fails to properly verify that the file provided is an image.

Affects Plugins

123contactform-for-wordpress

No known fix - plugin closed

References

URL

https://blog.sucuri.net/2021/01/critical-vulnerabilities-in-123contactform-for-wordpress-wordpress-plugin.html

Classification

Type

UPLOAD

CWE

CWE-434

Miscellaneous

Original Researcher

Rodrigo Escobar (Sucuri)

Verified

No

WPVDB ID

0b58b722-e75a-4dc2-b63b-35375f475344

Timeline

Publicly Published

2021-01-20 (about 8 months ago)

Added

2021-01-20 (about 8 months ago)

Last Updated

2021-01-21 (about 8 months ago)

Our Other Services

WPScan WordPress Security Plugin