WordPress Plugin Vulnerabilities
Asgaros Forum < 2.7.1 - Unauthenticated Arbitrary File Upload
Description
The plugin allows forum administrators, who may not be WordPress (super-)administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files (e.g. .php, .phtml), potentially leading to remote code execution.
Proof of Concept
Any user who has the rights to modify the settings area of the Asgaros plugin (/wp-admin/admin.php?page=asgarosforum-options), like forum administrators, can authorize users to upload malicious files (e.g. .php, .phtml files) on the site.
Affects Plugins
References
CVE
Miscellaneous
Original Researcher
Rafael Aristodimou
Submitter
Rafael Aristodimou
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-11-06 (about 6 months ago)
Added
2023-11-06 (about 6 months ago)
Last Updated
2023-11-06 (about 6 months ago)