Vulnerability Description
The Frontend File Manager (versions < 4.0), N-Media Post Front-end Form (versions < 1.1) plugins for WordPress are vulnerable to arbitrary file uploads due to missing file type validation via the `nm_filemanager_upload_file` and `nm_postfront_upload_file` AJAX actions. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Najeebmedia | Frontend File Manager | < 4.0 |
| Najeebmedia | Post Front-End Form | < 1.1 |
Related Weaknesses (CWE)
References
- https://wordpress.org/plugins/nmedia-user-file-uploader/#developersProduct
- https://wpscan.com/vulnerability/052f7d9a-aaff-4fb1-92b7-aeb83cc705a7Third Party Advisory
- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-n-media-post-frontThird Party Advisory
- https://www.pluginvulnerabilities.com/2016/09/19/arbitrary-file-upload-vulnerabiExploitThird Party Advisory
- https://www.pluginvulnerabilities.com/2016/09/19/arbitrary-file-upload-vulnerabiExploitThird Party Advisory
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2c1e6298-f243-49a5-b1bThird Party Advisory
FAQ
What is CVE-2016-15042?
CVE-2016-15042 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Frontend File Manager (versions < 4.0), N-Media Post Front-end Form (versions < 1.1) plugins for WordPress are vulnerable to arbitrary file uploads due to missing file type validation via the `nm_...
How severe is CVE-2016-15042?
CVE-2016-15042 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2016-15042?
Check the references section above for vendor advisories and patch information. Affected products include: Najeebmedia Frontend File Manager, Najeebmedia Post Front-End Form.