Description
A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.
Remediation
References
Related Vulnerabilities
WordPress Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-4340)
Jetty Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2021-34429)
Drupal Improper Input Validation Vulnerability (CVE-2017-6921)
WordPress Plugin WP-StarsRateBox 'j' Parameter SQL Injection (1.1)