9.8
CVE-2019-25138
- EPSS 3.58%
- Published 07.06.2023 02:15:09
- Last modified 21.11.2024 04:39:57
- Source security@wordfence.com
- CVE-Watchlists
- Open
LoginUser Submitted Posts <= 20190312 - Unauthenticated Arbitrary File Upload
The User Submitted Posts plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the usp_check_images function in versions up to, and including, 20190312. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
Mögliche Gegenmaßnahme
User Submitted Posts – Enable Users to Submit Posts from the Front End: Update to version 20190426, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Product
User Submitted Posts – Enable Users to Submit Posts from the Front End
Version
[*, 20190426)
Data is provided by the National Vulnerability Database (NVD)
Plugin-planet ≫ User Submitted Posts SwPlatformwordpress Version <= 20190312
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.58% | 0.866 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security@wordfence.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.