WP Symposium Plugin for WordPress Arbitrary File Upload

Added: 01/29/2015
BID: 71686
OSVDB: 116046

Background

WP Symposium is a social network plugin for WordPress.

Problem

WP Symposium Plugin for WordPress contains a vulnerability that allows a remote attacker to execute arbitrary PHP code. This vulnerability is due to the /wp-symposium/server/file_upload_form.php script not properly verifying user-uploaded files and placing the files in a user-accessible location. A successful attacker can execute the uploaded script with the privileges of the web server.

Resolution

Upgrade the WP Symposium plugin when a fix is available. WP Symposium 14.12 has been released and is presumed to contain a fix.

References

http://www.exploit-db.com/exploits/35543/

Limitations

Exploit works on WP Symposium 14.11.
Back to exploit index