WordPress Plugin Vulnerabilities

Super Progressive Web Apps < 2.1.12 - Authenticated (Low Privileged) Arbitrary File Upload to RCE

Description

When the Apple Touch Icons & Splash Screen add-on is active, its superpwa_splashscreen_uploader AJAX action, does not properly check for CSRF, authorisation and the content of the uploaded archive file. This allows attackers to upload an archive with a PHP file, leading to RCE by either using a low privilege account (subscriber+) or a CSRF attack on any logged in user.

v2.1.11 fixed the CSRF check, only. v2.1.12 added capability check.

Proof of Concept

Affects Plugins

Plugin icon
super-progressive-web-apps
Fixed in 2.1.12

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
4fd989ae-db35-40fa-ba61-b2d4fbb3994d

Timeline

Publicly Published
2021-06-29 (about 4 years ago)
Added
2021-06-29 (about 4 years ago)
Last Updated
2021-06-29 (about 4 years ago)

Other

Published
Title
Published
2014-08-01
Title
Zarzadzanie Kontem - ajaxfilemanager.php File Upload Arbitrary Code Execution
Published
2025-12-04
Title
PostGallery <= 1.12.5 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2025-07-01
Title
Drag and Drop Multiple File Upload (Pro) - WooCommerce < 5.0.7 and 5.0 - 5.0.5 - Unauthenticated Arbitrary File Upload
Published
2021-02-10
Title
Responsive Menu 4.0.0 - 4.0.3 - Authenticated Arbitrary File Upload
Published
2024-11-13
Title
B-Banner Slider <= 1.1 - Authenticated (Subscriber+) Arbitrary File Upload