Description

wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which allows remote authenticated users with manage_options and upload_files capabilities to execute arbitrary code by uploading a PHP script and adding this script's pathname to active_plugins.

Remediation

References

CVE-2008-5695

Related Vulnerabilities

Zope Web Application Server Other Vulnerability (CVE-2000-0483)

WordPress Plugin XO Event Calendar Cross-Site Scripting (2.3.6)

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2015-5341)

PHP Data Processing Errors Vulnerability (CVE-2015-4025)

WordPress Plugin UserPro-Community and User Profile Cross-Site Scripting (4.9.23)

Severity

High

Classification

CVE-2008-5695 CWE-20

Tags

Missing Update Known Vulnerabilities