Podatność CVE-2023-3342


Publikacja: 2023-07-13

Opis:
The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hardcoded encryption key and missing file type validation on the 'ur_upload_profile_pic' function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files on the affected site's server which may make remote code execution possible. This was partially patched in version 3.0.2 and fully patched in version 3.0.2.1.

W naszej bazie, znaleźliśmy następujące noty dla tego CVE:
Tytuł
Autor
Data
High
WordPress User Registration 3.0.2 Arbitrary File Upload
Lana Codes
13.07.2023

Typ:

CWE-434

(Unrestricted Upload of File with Dangerous Type)

 Referencje:
https://lana.codes/lanavdb/c0a58dff-7a5b-4cc0-82d6-2255e61d801c/
https://plugins.trac.wordpress.org/browser/user-registration/tags/3.0.1/includes/functions-ur-core.php#L3156
https://www.wordfence.com/threat-intel/vulnerabilities/id/a979e885-f7dd-4616-a881-64f3d97c309d?source=cve
https://plugins.trac.wordpress.org/changeset/2933689/user-registration/trunk/includes/functions-ur-core.php

Copyright 2024, cxsecurity.com

 

Back to Top