6 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.017 Low
EPSS
Percentile
87.7%
secunia reports:
The security issue is caused due to the wp_check_filetype()
function in /wp-includes/functions.php improperly validating uploaded
files. This can be exploited to execute arbitrary PHP code by
uploading a malicious PHP script with multiple extensions.
Successful exploitation of this vulnerability requires that Apache
is not configured to handle the mime-type for media files with an e.g.
“gif”, “jpg”, “png”, “tif”, “wmv” extension.
Input passed via certain parameters to press-this.php is not
properly sanitised before being displayed to the user. This can be
exploited to insert arbitrary HTML and script code, which will be
executed in a user’s browser session in context of an affected site
when the malicious data is being viewed.