Remote Code Execution via Unauthorised File upload vulerablity

  • Resolved hcolf

    (@hcolf)


    6 years, 7 months ago

    I use the SiteLock service to scan my site for vulnerabilities. On 4/7 they reported a critical error with the old version of Cforms, so yesterday I upgraded to version 14.14 hoping the error would be resolved in the new version. In today’s SiteLock report I have the following error reported for CForm2 version 14.14:

    Cforms2 14.14

    Severity: Critical

    Category: rce

    Summary: CformsII 14.7 – Remote Code Execution via Unauthorised File upload

    Description: Unrestricted file upload vulnerability in lib_nonajax.php in the CformsII plugin 14.7 and earlier for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension via the cf_uploadfile2[] parameter, then accessing the file via a direct request to the file in the default upload directory.

    My wordpress version is 4.8.6.

    I need a solution to this issue asap or I may be required to remove Cforms from my system.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author bgermann

    (@bgermann)

    Most probably you have the old cformsII version still activated. Please check your plugins and deactivate the cformsII version < 14.14. If you only see version 14.14, please post your site’s URL for further investigation.

    As you can see at https://wpvulndb.com/vulnerabilities/7752 the vulnerability is fixed with 14.8, so 14.14 is not affected.

    Thread Starter hcolf

    (@hcolf)

    I deactivated the old version yesterday just after I activated the 14.14 version. Do I need to delete the old version? If I do, will it impact the forms that were built with the old version and are now active in the new version?

    Plugin Author bgermann

    (@bgermann)

    Deleting the old version won’t impact the forms. But if you have forms with uploads, maybe there are uploads in the directory. If you want to keep them, please check that you do not delete them.

    Maybe the SiteLock service has some kind of caching involved or it checks for the availability of certain subdirectories (cforms) in your wp-plugin directory. This could be responsible for the false positive report.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Remote Code Execution via Unauthorised File upload vulerablity’ is closed to new replies.