image credit: unsplash
Tracked as CVE-2021-25094 (CVSS score of 8.1), the vulnerability exists because one of the supported actions does not require authentication when uploading a zip file that is extracted under the WordPress upload directory.
While the plugin includes an extension control, this can be bypassed by adding a PHP shell with a filename that begins with a dot (“.”). Furthermore, a race condition in the extraction process allows for an attacker to call the shell file.
Comments are closed.
