WordPress Foxypress Plugin 'uploadify.php' Arbitrary File Upload Vulnerability Network Vulnerability

Summary

This host is running WordPress Foxypress Plugin and is prone to file upload vulnerability.

Impact

Successful exploitation will allow attacker to upload arbitrary PHP code and run it in the context of the Web server process. Impact Level: System/Application

Solution

Upgrade to WordPress Foxypress Plugin version 0.4.2.2 or later, For updates refer to http://wordpress.org/extend/plugins/foxypress/

Insight

The flaw is due to the wp-content/plugins/foxypress/uploadify/ uploadify.php script allowing to upload files with arbitrary extensions to a folder inside the webroot. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script.

Affected

WordPress Foxypress Plugin version 0.4.2.1

References

http://osvdb.org/82652
http://packetstormsecurity.org/files/113283/wpfoxypress-shell.txt
http://secunia.com/advisories/49382
http://wordpress.org/extend/plugins/foxypress/changelog/
http://www.exploit-db.com/exploits/18991
http://www.securityfocus.com/bid/53805

Updated on 2015-03-25

Severity

Classification

CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Adobe ColdFusion Multiple Vulnerabilities-02 May-2014
AdMentor Login Flaw
AjaXplorer zoho plugin Directory Traversal Vulnerability
AlefMentor Multiple SQL Injection Vulnerabilities
ARRIS 2307 Unprotected Web Console

Take action and discover your vulnerabilities