WordPress File Upload <= 3.4.0 – Unauthenticated Malicious File Upload | CVE 2015-9341 | Plugin Vulnerabilities

Description

The WordPress plugin wp-file-upload does not adequately check the filetype before allowing it to be uploaded. It also uploaded files with execute permissions, allowing malicious payloads to be uploaded.

Proof of Concept

1. Install wp-file-upload on a WordPress site and activate it.
2. Create an upload form on a page.
3. Create a file named payload.php.....jpg with the contents
<?php
echo "You got pwnd";

4. Use the form you created to upload this payload
5. Navigate to /wp-content/uploads/payload.php.....jpg and see "You got pwnd" printed.

Affects Plugins

Fixed in 3.4.1

References

CVE

Miscellaneous

Submitter

Garth Mortensen

Submitter website

http://www.garthmortensen.com/

Submitter twitter

garth_mortensen

Verified

No

WPVDB ID

32e34cff-d6cf-4e00-bb5d-1e2e6595f1c1

Timeline

Publicly Published

2015-10-29 (about 10 years ago)

Added

2015-11-09 (about 10 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2024-04-05

Title

WP Photo Album Plus < 8.6.03.005 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2024-12-30

Title

ACF City Selector < 1.15.0 - Authenticated (Admin+) Arbitrary File Upload

Published

2025-01-20

Title

Post/Page Copying Tool to Export and Import post/page for Cross site Migration < 2.0.4 - Authenticated (Contributor+) Arbitrary File Upload

Published

2025-12-04

Title

Demo Importer Plus < 2.0.7 - Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass

Published

2021-01-20

Title

123ContactForm for WordPress <= 1.5.6 - Unauthenticated Arbitrary File Upload