Description

WordPress Plugin Uploadify is prone to a vulnerability that lets attackers upload arbitrary files. Successful exploitation of the vulnerability allows an attacker to upload a php code for example and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation. WordPress Plugin Uploadify version 1.0 is vulnerable.

Remediation

Disable the plugin

References

http://packetstormsecurity.com/files/view/98652/wpuploadify-shell.txt

http://www.securityfocus.com/archive/1/516646/30/0/threaded

Related Vulnerabilities

Drupal Core 9.4.x Cross-Site Scripting (9.4.0 - 9.4.2)

WordPress Plugin Import and export users and customers Cross-Site Scripting (1.12)

GeoServer Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2024-23819)

Liferay DXP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-38901)

Dolibarr Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2023-4197)

Severity

High

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update Unauthenticated File Upload