Aviary Image Editor Add-on For Gravity Forms <= 3.0beta – Unauthenticated File Upload | CVE 2015-4455

Description

There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php. An unauthenticated user can upload any file to the system, including PHP files.

upload.php does not check that the user is authenticated and a simple POST request will allow arbitrary code to be uploaded to the server.

Affects Plugins

aviary-image-editor-add-on-for-gravity-forms

No known fix

References

CVE

CVE-2015-4455

Exploitdb

37275

URL

https://packetstormsecurity.com/files/#132256/

Miscellaneous

Submitter

Larry W. Cashdollar

Submitter twitter

_larry0

Verified

WPVDB ID

cac92a37-4643-4603-a42b-8648ec7b7d7e

Timeline

Publicly Published

2015-06-09 (about 10 years ago)

Added

2015-06-09 (about 10 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2024-11-05

Title

WP JobSearch < 2.6.8 - Unauthenticated Arbitrary File Upload

Published

2026-01-06

Title

Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.9.3 - Unauthenticated Limited Arbitrary File Upload

Published

2025-10-14

Title

Flex QR Code Generator < 1.2.6 - Unauthenticated Arbitrary File Upload

Published

2025-06-17

Title

CSV Me <= 2.0 - Authenticated (Administrator+) Arbitrary File Upload

Published

2025-05-05

Title

External image replace <= 1.0.8 - Authenticated (Contributor+) Arbitrary File Upload