N-Media File Uploader <= 3.7 - Unauthenticated Arbitrary File Upload



Description
This plugin enables users to upload files to a wordpress-instance and share it with the wordpress-admin. Through insufficient input validation an unauthenticated attacker is able to bypass the restriction and upload arbitrary content. This uploaded content can be executed by calling the URL of the file in the public available upload directory.

Affects Plugin

fixed in version 3.8

References

CVE 2015-4693

Classification

Type UPLOAD
CWE CWE-434

Miscellaneous

Submitter HSASec
Submitter Website https://www.hsasec.de
Submitter Twitter HSASec
Views 4470
Verified No
WPVDB ID 8065

Timeline

Publicly Published 2015-06-29 (about 5 years ago)
Added 2015-06-29 (about 5 years ago)
Last Updated 2019-10-21 (9 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin