WordPress Plugin Vulnerabilities

N-Media File Uploader <= 3.7 - Unauthenticated Arbitrary File Upload

Description

This plugin enables users to upload files to a wordpress-instance and share it with the wordpress-admin. Through insufficient input validation an unauthenticated attacker is able to bypass the restriction and upload arbitrary content. This uploaded content can be executed by calling the URL of the file in the public available upload directory.

Affects Plugins

Plugin icon
nmedia-user-file-uploader
Fixed in 3.8

References

CVE
CVE-2015-4693

Miscellaneous

Submitter
HSASec
Submitter website
https://www.hsasec.de
Submitter twitter
HSASec
Verified
No
WPVDB ID
38770519-dd50-42c5-ac4e-c5b3378db6ee

Timeline

Publicly Published
2015-06-29 (about 10 years ago)
Added
2015-06-29 (about 10 years ago)
Last Updated
2019-10-21 (about 6 years ago)

Other

Published
Title
Published
2021-06-29
Title
Super Progressive Web Apps < 2.1.12 - Authenticated (Low Privileged) Arbitrary File Upload to RCE
Published
2015-04-25
Title
WooCommerce Amazon Affiliates - Arbitrary File Upload
Published
2025-06-12
Title
MapSVG < 8.7.4 - Contributor+ Arbitrary File Upload
Published
2024-07-08
Title
Advanced File Manager Shortcode < 2.5.4 - Authenticated (Contributor+) Arbitrary File Upload
Published
2025-06-16
Title
Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.9.0 - Unauthenticated Arbitrary File Upload via Insufficient Blacklist Checks