Because the plugin doesn't validate the name of the uploaded file, an unauthenticated user could upload a PHP script with a double extension, e.g., script.php.jpg, and execute it on HTTP servers running a configuration such as Apache + PHP FastCGI. Edit (WPScanTeam): This appears to be due to an incomplete fix of https://wpvulndb.com/vulnerabilities/10349
$ curl 'http://example.com/wp-admin/admin-ajax.php' -F 'action=qsm_upload_image_fd_question' -F 'question_id={some-id}' -F '[email protected]'
UPLOAD
NinTechNet
Wiyada Sinsad
No
2020-08-29 (about 3 years ago)
2020-08-29 (about 3 years ago)
2020-08-29 (about 3 years ago)