Description
Multiple vendor applications utilize FCKeditor. FCKeditor contains functionality to handle file uploads and file management. A remote attacker could use this functionality to upload malicious executable files on the system. To test file upload capabilities, Acunetix created a file named Acunetix_WVS_File_Upload_test.txt on the server.
Remediation
It is recommended to disable the file upload functionality in FCKeditor (if not required).
References
Related Vulnerabilities
WordPress Plugin Import any XML or CSV File to WordPress Arbitrary File Upload (3.6.7)
WordPress Plugin Nmedia WordPress Member Conversation 'doupload.php' Arbitrary File Upload (1.3)
WordPress Plugin MailPoet Newsletters (Previous) Arbitrary File Upload (2.6.7)
WordPress Plugin Thumbnail carousel slider Arbitrary File Upload (1.0)
WordPress Plugin Wp-FileManager 'ajaxfilemanager.php' Arbitrary File Upload (1.2)