Description The plugin does not validate files to be uploaded, which could allow attackers to upload arbitrary files such as PHP on the server.
cmd.php
with the contents `` 2) Go to https://example.com/wp-admin/admin.php?page=mo_media_restrict&tab;=private_directory 3) Then upload a file with the PHP extension 4) Follow the link https://example.com/wp-content/uploads/protectedfiles/{filename}.php?cmd=ps+aux 5) You will be able to see a list of processes when the PHP is executedCPE | Name | Operator | Version |
---|---|---|---|
eq | 2.5.2 |