Main Vulnerability Database SB2013121501

SB2013121501 - Arbitrary file upload in WordPress OptimizePress Theme

Published: December 15, 2013 Updated: March 11, 2017

Security Bulletin ID SB2013121501

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Arbitrary file upload (CVE-ID: CVE-2013-7102)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.

The weakness exists due to improper validation of file extensions in "lib/admin/media-upload.php" script. A remote attacker can create a specially crafted HTTP request, upload a malicious PHP script and execute arbitrary PHP code.

Successful exploitation of the vulnerability may allow an attacker to execute arbitrary PHP code on the vulnerable system.

Remediation

Install update from vendor's website.

References

https://blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html