Main Vulnerability Database Vulnerabilities #VU18516

#VU18516 Arbitrary file upload in WP Live Chat Support - CVE-2018-12426

Published: May 17, 2019

Vulnerability identifier: #VU18516

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2018-12426

CWE-ID: CWE-434

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
WP Live Chat Support

Software vendor:
WP-LiveChat

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to absent validation of file extension when uploading files via v1/remote_upload request. A remote attacker can upload and execute arbitrary .php file on the server and execute it.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://github.com/CodeCabin/wp-live-chat-support/blob/master/readme.txt
https://github.com/RiieCco/write-ups/tree/master/CVE-2018-12426

#VU18516 Arbitrary file upload in WP Live Chat Support - CVE-2018-12426

Description

Remediation

External links

Please verify you're human