The plugin allows a remote attacker to upload arbitrary files using its manual update functionality, leading to an unauthenticated remote code execution vulnerability. Note (WPScanTeam): - The issue has been escalated to Envato on March 30th, 2021 and the plugin has been removed from the marketplace. - The issue seems to be exploited since a few months by malicious actors, as some reviews/comments suggest (https://codecanyon.net/item/business-hours-pro-wordpress-plugin/reviews/9414879)
The PoC will be displayed once the issue has been remediated
UPLOAD
Harald Eilertsen
Harald Eilertsen
Yes
2021-04-02 (about 2 years ago)
2021-04-02 (about 2 years ago)
2021-04-04 (about 2 years ago)