logo
DATABASE RESOURCES PRICING ABOUT US

Business Hours Pro <= 5.5.0 - Unauthenticated Arbitrary File Upload to RCE

Description

The plugin allows a remote attacker to upload arbitrary files using its manual update functionality, leading to an unauthenticated remote code execution vulnerability. Note (WPScanTeam): \- The issue has been escalated to Envato on March 30th, 2021 and the plugin has been removed from the marketplace. \- The issue seems to be exploited since a few months by malicious actors, as some reviews/comments suggest (https://codecanyon.net/item/business-hours-pro-wordpress-plugin/reviews/9414879)


Related