MailCWP 1.100 - Unauthenticated Arbitrary File Upload



Description
The code in mailcwp-upload.php doesn't check that a user is authenticated or what type of file is being uploaded any user can upload a shell to the target WordPress server:

Exploitation requires the attacker to guess a writeable location in the http server root.

Affects Plugin

fixed in version 1.110

References

CVE 2015-1000000
PACKETSTORM 132739
URL http://www.vapidlabs.com/advisory.php?v=175
URL https://vapid.dhs.org/advisory.php?v=138

Classification

Type UPLOAD
CWE CWE-434

Miscellaneous

Submitter Larry W. Cashdollar
Submitter Twitter _larry0
Views 5088
Verified No
WPVDB ID 8090

Timeline

Publicly Published 2015-07-10 (over 4 years ago)
Added 2015-07-11 (over 4 years ago)
Last Updated 2019-10-22 (about 10 hours ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin