Dognædis Ref.: DGS-SEC-17
CVE Ref: CVE-2013-2288
Release Date: 2013/03/01
Discover Credits: CodeV - Code Analyzer
Bulletin Author(s): AMPP - CodeV Team
Contact: [email protected]
Type: Remote File Inclusion
Level: High (Low/High/Critical)
CVSS: 4 (Av:N/AC:L/Au:S/C:N/I:P/A:P)
Vulnerable Application: Uploader plugin for WordPress (1.0.4)
Overview:
Uploader creates an Uploader role for file uploading.
Scope:
Description:
WordPress plugin that allows the user to upload files to the server.
Impact:
By using this exploit, might be possible to completely compromise the Web Server, only constrained by the Apache User permissions.
Resolution:
Verify the location of the files, just files located on the temporary folder can be moved to permanent locations.
Official Solution:
At the moment, there is no official solution for the reported vulnerabilities.
The developer is yet to answer the first contact attempt.
External References:
https://www.owasp.org/index.php/PHP_File_Inclusion