WordPress Third Party Modules Multiple Vulnerabilities


Description   (#Several vulnerabilities have been identified in third-party plugins for WordPress:#- W3 Total Cache: arbitrary file upload, cross site request forgery (CSRF), PHP arbitrary code injection, security token bypass#- N-Media Front end file upload and manager: arbitrary file upload#- N-Media Website Contact Form with File Upload: arbitrary file upload#- WooCommerce Extra Fields: arbitrary file upload.##Proofs of concept are available.)
     
Vulnerable Products   Vulnerable Software:
WordPress (WordPress) -
     
Solution   - WooCommerce Extra Fields: 2.0
     
CVE  
     
References   - SecuPress : 4 New Security Flaws in W3 Total Cache 0.9.4.1
https://secupress.me/4-new-security-flaws-w3-total-cache-0-9-4-1/
- Plugin Vulnerabilities : Arbitrary File Upload Vulnerability in Front end file upload and manager Plugin
https://www.pluginvulnerabilities.com/2016/09/19/arbitrary-file-upload-vulnerability-in-front-end-file-upload-and-manager-plugin/
- Plugin Vulnerabilities : Arbitrary File Upload Vulnerability in N-Media Website Contact Form with File Upload
https://www.pluginvulnerabilities.com/2016/09/19/arbitrary-file-upload-vulnerability-in-n-media-website-contact-form-with-file-upload/
- Plugin Vulnerabilities : Arbitrary File Upload Vulnerability in WooCommerce Extra Field
https://www.pluginvulnerabilities.com/2016/09/19/arbitrary-file-upload-vulnerability-in-woocommerce-extra-fields/
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Upload of a PHP file in a vulnerable web application
5.0.0
Suspicious access to a php file in a vulnerable application upload directory
5.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2016-09-27 

 Target Type 
Server 

 Possible exploit 
Remote