A Cross-Site Request Forgery (CSRF) vulnerability was found in the File
Manager WordPress Plugin. Among others, this issue can be used to upload
arbitrary PHP files to the server.
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.
Cross-Site Request Forgery in File Manager WordPress plugin
------------------------------------------------------------------------
David Vaartjes, July 2016
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery (CSRF) vulnerability was found in the File
Manager WordPress Plugin. Among others, this issue can be used to upload
arbitrary PHP files to the server.
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0029
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the File Manager WordPress Plugin
version 3.0.1.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_file_man
ager_wordpress_plugin.html
------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.
[ reply ]