WordPress File Upload <= 3.4.0 – Unauthenticated Malicious File Upload | CVE 2015-9341 | Plugin Vulnerabilities

Description

The WordPress plugin wp-file-upload does not adequately check the filetype before allowing it to be uploaded. It also uploaded files with execute permissions, allowing malicious payloads to be uploaded.

Proof of Concept

1. Install wp-file-upload on a WordPress site and activate it.
2. Create an upload form on a page.
3. Create a file named payload.php.....jpg with the contents
<?php
echo "You got pwnd";

4. Use the form you created to upload this payload
5. Navigate to /wp-content/uploads/payload.php.....jpg and see "You got pwnd" printed.

Affects Plugins

Fixed in 3.4.1

References

CVE

Miscellaneous

Submitter

Garth Mortensen

Submitter website

http://www.garthmortensen.com/

Submitter twitter

garth_mortensen

Verified

No

WPVDB ID

32e34cff-d6cf-4e00-bb5d-1e2e6595f1c1

Timeline

Publicly Published

2015-10-29 (about 8 years ago)

Added

2015-11-09 (about 8 years ago)

Last Updated

2020-09-22 (about 3 years ago)

Other

Published

Title

Published

2022-02-07

Title

Catch Themes Demo Import < 2.1.1 - Admin+ Remote Code Execution

Published

2014-08-01

Title

wpStoreCart 2.5.27-2.5.29 - Arbitrary File Upload

Published

2014-08-01

Title

e-Commerce <= 3.4 - Arbitrary File Upload Exploit

Published

2021-04-11

Title

Business Directory Plugin < 5.11.1 - Authenticated PHP4 Upload to RCE

Published

2021-04-30

Title

Download Manager < 3.1.19 - Authenticated (author+) PHP4 File Upload to RCE