6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.919 High
EPSS
Percentile
98.7%
Name | CVE_2014_5460 |
---|---|
CVE | CVE-2014-5460 Exploit Pack |
VENDOR: Tribulant | |
Changelog: https://wordpress.org/plugins/slideshow-gallery/changelog/ | |
Notes: |
If the Suhosin-Patch is installed (typically announced in the PHP banner) the MOSDEF PHP
shell startup will not work however the vulnerability will still be exploitable.
This is a post authentication shell upload vulnerability in a popular (400k+ downloads)
wordpress plugin. By default only admins can reach the vulnerability.
The plugin does allow for administrators to give any class of user the ability to
interact with the vulnerable functionality, though they would have to do so deliberately.
Repeatability: Infinite
References: http://packetstormsecurity.com/files/128069/WordPress-Slideshow-Gallery-1.4.6-Shell-Upload.html
CVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5460
CERT Advisory: None
Date public: 08/31/14