CVE-2015-9272

The videowhisper-video-presentation plugin 3.31.17 for WordPress allows remote attackers to execute arbitrary code because vp/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code.
References
Link Resource
http://www.vapidlabs.com/advisory.php?v=117 Exploit Third Party Advisory
https://www.openwall.com/lists/oss-security/2015/04/01/2 Exploit Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:videowhisper:video_presentation:3.31.17:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2018-10-05 06:29

Updated : 2024-02-04 20:03


NVD link : CVE-2015-9272

Mitre link : CVE-2015-9272

CVE.ORG link : CVE-2015-9272


JSON object : View

Products Affected

videowhisper

  • video_presentation
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')