WordPress Plugin Vulnerabilities

Mobile App Native <= 3.0 - Remote File Upload

Description

The code in file ./zen-mobile-app-native/server/images.php doesn't require authentication or check that the user is allowed to upload content.
It also doesn't sanitize the file upload against executable code.

<?php
//header('content-type: text/html; charset=iso-8859-2');
header('Content-Type: text/html; charset=utf-8');
header('Access-Control-Allow-Origin: *');
require_once('function.php');

if ($_FILES['file']['name']) {
if (!$_FILES['file']['error']) {
$name = md5(rand(100, 200));
$ext = explode('.', $_FILES['file']['name']);
$filename = $name . '.' . $ext[1];
$destination = 'images/' . $filename;
$location = $_FILES["file"]["tmp_name"];
move_uploaded_file($location, $destination);
echo $plugin_url.'/server/images/' . $filename;
}
else {
echo $message = 'Ooops! Your upload triggered the following error: '.$_FILES['file']['error'];
}
}

Proof of Concept

Affects Plugins

Plugin icon
zen-mobile-app-native
No known fix

References

CVE
CVE-2017-6104
Exploitdb
41540
URL
http://www.vapidlabs.com/advisory.php?v=178

Miscellaneous

Submitter
Larry W. Cashdollar
Submitter website
http://www.vapidlabs.com/
Submitter twitter
@_larry0
Verified
No
WPVDB ID
6ef8703e-dfb8-48e2-91bb-b8d8b766e093

Timeline

Publicly Published
2017-02-28 (about 9 years ago)
Added
2017-03-01 (about 9 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2014-05-20
Title
NextGEN Gallery < 2.0.66 - Arbitrary File Upload
Published
2026-02-02
Title
OS DataHub Maps < 1.8.4 - Authenticated (Author+) Arbitrary File Upload
Published
2024-10-25
Title
Sudan Payment Gateway for WooCommerce <= 1.2.2 - Unauthenticated Arbitrary File Upload
Published
2026-01-12
Title
Energia <= 1.1.2 - Unauthenticated Arbitrary File Upload
Published
2021-04-11
Title
Business Directory Plugin < 5.11.1 - Authenticated PHP4 Upload to RCE