It was possible to bypass the "is_authorized_request" function used to control access to plugin settings by sending a request without a nonce parameter. This could be used to upload arbitrary code to a CSS file with a double extension (e.g. file.php.css), and could also be used to include the uploaded file as a gallery template, resulting in RCE and XSS when visiting a gallery using the selected template.
Ramuel Gall
Ramuel Gall
No
2021-02-08 (about 2 years ago)
2021-02-08 (about 2 years ago)
2021-02-09 (about 2 years ago)