CVE-2016-15042

The Frontend File Manager (versions < 4.0), N-Media Post Front-end Form (versions < 1.1) plugins for WordPress are vulnerable to arbitrary file uploads due to missing file type validation via the `nm_filemanager_upload_file` and `nm_postfront_upload_file` AJAX actions. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:najeebmedia:frontend_file_manager:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:najeebmedia:post_front-end_form:*:*:*:*:*:wordpress:*:*

History

30 Oct 2024, 21:12

Type Values Removed Values Added
CPE cpe:2.3:a:najeebmedia:frontend_file_manager:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:najeebmedia:post_front-end_form:*:*:*:*:*:wordpress:*:*
References () https://wordpress.org/plugins/nmedia-user-file-uploader/#developers - () https://wordpress.org/plugins/nmedia-user-file-uploader/#developers - Product
References () https://wpscan.com/vulnerability/052f7d9a-aaff-4fb1-92b7-aeb83cc705a7 - () https://wpscan.com/vulnerability/052f7d9a-aaff-4fb1-92b7-aeb83cc705a7 - Third Party Advisory
References () https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-n-media-post-front-end-form-arbitrary-file-upload-1-0/ - () https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-n-media-post-front-end-form-arbitrary-file-upload-1-0/ - Third Party Advisory
References () https://www.pluginvulnerabilities.com/2016/09/19/arbitrary-file-upload-vulnerability-in-front-end-file-upload-and-manager-plugin/ - () https://www.pluginvulnerabilities.com/2016/09/19/arbitrary-file-upload-vulnerability-in-front-end-file-upload-and-manager-plugin/ - Exploit, Third Party Advisory
References () https://www.pluginvulnerabilities.com/2016/09/19/arbitrary-file-upload-vulnerability-in-n-media-post-front-end-form/ - () https://www.pluginvulnerabilities.com/2016/09/19/arbitrary-file-upload-vulnerability-in-n-media-post-front-end-form/ - Exploit, Third Party Advisory
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/2c1e6298-f243-49a5-b1b7-52bd6a6c8858?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/2c1e6298-f243-49a5-b1b7-52bd6a6c8858?source=cve - Third Party Advisory
First Time Najeebmedia frontend File Manager
Najeebmedia
Najeebmedia post Front-end Form

16 Oct 2024, 16:38

Type Values Removed Values Added
Summary
  • (es) Los complementos Frontend File Manager (versiones &lt; 4.0) y N-Media Post Front-end Form (versiones &lt; 1.1) para WordPress son vulnerables a la carga de archivos arbitrarios debido a la falta de validación del tipo de archivo a través de las acciones AJAX `nm_filemanager_upload_file` y `nm_postfront_upload_file`. Esto hace posible que atacantes no autenticados carguen archivos arbitrarios en el servidor de los sitios afectados, lo que puede hacer posible la ejecución remota de código.

16 Oct 2024, 08:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-16 08:15

Updated : 2024-10-30 21:12


NVD link : CVE-2016-15042

Mitre link : CVE-2016-15042

CVE.ORG link : CVE-2016-15042


JSON object : View

Products Affected

najeebmedia

  • frontend_file_manager
  • post_front-end_form
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type