WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

123ContactForm for WordPress <= 1.5.6 - Unauthenticated Arbitrary File Upload

Description

Attackers could use the Unauthenticated Arbitrary Post Creation issue (https://wpscan.com/vulnerability/d3ef5644-1044-492f-ac23-ea90b32f1e77) to also upload a PHP file via the cfp_upload_image() function which fails to properly verify that the file provided is an image.

Affects Plugins

123contactform-for-wordpress
No known fix - plugin closed

References

URL
https://blog.sucuri.net/2021/01/critical-vulnerabilities-in-123contactform-for-wordpress-wordpress-plugin.html

Classification

Type

UPLOAD

CWE
CWE-434

Miscellaneous

Original Researcher

Rodrigo Escobar (Sucuri)

Verified

No

WPVDB ID
0b58b722-e75a-4dc2-b63b-35375f475344

Timeline

Publicly Published

2021-01-20 (about 1 years ago)

Added

2021-01-20 (about 1 years ago)

Last Updated

2021-01-21 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin