Vulnerability Description
actions.php in the AllWebMenus plugin 1.1.8 for WordPress allows remote attackers to bypass intended access restrictions to upload and execute arbitrary PHP code by setting the HTTP_REFERER to a certain value, then uploading a ZIP file containing a PHP file, then accessing it via a direct request to the file in an unspecified directory.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Likno | Allwebmenus Plugin | 1.1.8 |
| Wordpress | Wordpress | All versions |
Related Weaknesses (CWE)
References
- http://archives.neohapsis.com/archives/bugtraq/2012-01/0137.htmlExploit
- http://secunia.com/advisories/47659Vendor Advisory
- http://wordpress.org/extend/plugins/allwebmenus-wordpress-menu-plugin/changelog/Patch
- http://www.exploit-db.com/exploits/18407Exploit
- http://www.securityfocus.com/bid/51615
- https://exchange.xforce.ibmcloud.com/vulnerabilities/72640
- http://archives.neohapsis.com/archives/bugtraq/2012-01/0137.htmlExploit
- http://secunia.com/advisories/47659Vendor Advisory
- http://wordpress.org/extend/plugins/allwebmenus-wordpress-menu-plugin/changelog/Patch
- http://www.exploit-db.com/exploits/18407Exploit
- http://www.securityfocus.com/bid/51615
- https://exchange.xforce.ibmcloud.com/vulnerabilities/72640
FAQ
What is CVE-2012-1011?
CVE-2012-1011 is a vulnerability with a CVSS score of 7.5 (HIGH). actions.php in the AllWebMenus plugin 1.1.8 for WordPress allows remote attackers to bypass intended access restrictions to upload and execute arbitrary PHP code by setting the HTTP_REFERER to a certa...
How severe is CVE-2012-1011?
CVE-2012-1011 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-1011?
Check the references section above for vendor advisories and patch information. Affected products include: Likno Allwebmenus Plugin, Wordpress Wordpress.