ListingPro < 2.6.1 - Unauthenticated Arbitrary Plugin Installation/Activation/Deactivation

2020-12-17T00:00:00
ID WPVDB-ID:814D5F2D-399A-4738-A48B-009C4F8043EE
Type wpvulndb
Reporter wpvulndb
Modified 2020-12-18T06:01:06

Description

Unauthenticated users could install/activate/deactivate arbitrary plugins, including install one from a remote source under their control (by having $_REQUEST['ccDestin'] set to external and $_REQUEST['ccFileUrl'] to the remote ZIP file)