CVE-2021-24962
N/A
N/A
Summary
The WordPress File Upload Free and Pro WordPress plugins before 4.16.3 allow users with a role as low as Contributor to perform path traversal via a shortcode argument, which can then be used to upload a PHP code disguised as an image inside the auto-loaded directory of the plugin, resulting in arbitrary code execution.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Unknown | WordPress File Upload | 4.16.3 < 4.16.3 | affected |
| Unknown | WordPress File Upload Pro | 4.16.3 < 4.16.3 | affected |
Weaknesses
- CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CVE Program Container
Additional References
- https://plugins.trac.wordpress.org/changeset/2677722
- https://wpscan.com/vulnerability/7a95b3f2-285e-40e3-aead-41932c207623
References
- https://plugins.trac.wordpress.org/changeset/2677722
- https://wpscan.com/vulnerability/7a95b3f2-285e-40e3-aead-41932c207623
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.