Main Vulnerability Database Vulnerabilities #VU18516

Arbitrary file upload in WP Live Chat Support - CVE-2018-12426

Published: May 17, 2019

Vulnerability identifier: #VU18516

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2018-12426

CWE-ID: CWE-434

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: WP-LiveChat

Affected software:
WP Live Chat Support

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to absent validation of file extension when uploading files via v1/remote_upload request. A remote attacker can upload and execute arbitrary .php file on the server and execute it.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

How to mitigate CVE-2018-12426

Install updates from vendor's website.

Sources

https://github.com/CodeCabin/wp-live-chat-support/blob/master/readme.txt
https://github.com/RiieCco/write-ups/tree/master/CVE-2018-12426

Arbitrary file upload in WP Live Chat Support - CVE-2018-12426

Detailed vulnerability description

How to mitigate CVE-2018-12426

Sources

Please verify you're human