WordPress Plugin Vulnerabilities

Frontend File Manager < 18.3 - Authenticated Arbitrary Settings Change to Arbitrary File Upload

Description

The wpfm_save_settings AJAX action of the plugin, available to any authenticated user, was lacking CSRF and capability check, allowing any authenticated user to change the settings, and add PHP to the allowed filetype to be uploaded, which would then allow them to upload a malicious PHP file via the wpfm_upload_file AJAX action

Affects Plugins

Plugin icon
nmedia-user-file-uploader
Fixed in 18.3

References

CVE
CVE-2021-4368
CVE
CVE-2021-4356
URL
https://blog.nintechnet.com/wordpress-frontend-file-manager-plugin-fixed-multiple-critical-vulnerabilities/

Miscellaneous

Original Researcher
Jerome Bruandet (nintechnet)
Verified
No
WPVDB ID
3cdc5704-af8c-43de-841b-0798cc291469

Timeline

Publicly Published
2021-07-12 (about 4 years ago)
Added
2021-07-12 (about 4 years ago)
Last Updated
2023-06-08 (about 2 years ago)

Other

Published
Title
Published
2017-04-01
Title
Image Gallery with Slideshow <= 1.5.2 - Multiple XSS and SQL Injection
Published
2018-11-15
Title
Slideshow Gallery <= 1.6.8 - XSS and SQLi
Published
2014-08-01
Title
Ajax Category Dropdown 0.1.5 - Multiple Vulnerabilities
Published
2019-09-08
Title
Photo Gallery by 10Web < 1.5.35 - SQL Injection & XSS
Published
2016-08-04
Title
WP Database Backup < 4.3.3 - CSRF & XSS