Unrestricted file upload vulnerability in frames/upload-images.php in the Complete Gallery Manager plugin before 3.3.4 rev40279 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in wp-content/[year]/[month]/.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Complete_gallery_manager_plugin | Envato | * | 3.3.3 (including) |
| Complete_gallery_manager_plugin | Envato | 1.0.0-rev25273 (including) | 1.0.0-rev25273 (including) |
| Complete_gallery_manager_plugin | Envato | 1.0.1-rev25421 (including) | 1.0.1-rev25421 (including) |
| Complete_gallery_manager_plugin | Envato | 1.0.2-rev25487 (including) | 1.0.2-rev25487 (including) |
| Complete_gallery_manager_plugin | Envato | 2.0.0-rev27524 (including) | 2.0.0-rev27524 (including) |
| Complete_gallery_manager_plugin | Envato | 2.0.1-rev27876 (including) | 2.0.1-rev27876 (including) |
| Complete_gallery_manager_plugin | Envato | 2.0.2-rev28693 (including) | 2.0.2-rev28693 (including) |
| Complete_gallery_manager_plugin | Envato | 2.0.3-rev28734 (including) | 2.0.3-rev28734 (including) |
| Complete_gallery_manager_plugin | Envato | 3.0.0-rev29469 (including) | 3.0.0-rev29469 (including) |
| Complete_gallery_manager_plugin | Envato | 3.0.1-rev29536 (including) | 3.0.1-rev29536 (including) |
| Complete_gallery_manager_plugin | Envato | 3.1.0-rev30003 (including) | 3.1.0-rev30003 (including) |
| Complete_gallery_manager_plugin | Envato | 3.1.1-rev30900 (including) | 3.1.1-rev30900 (including) |
| Complete_gallery_manager_plugin | Envato | 3.2.0-rev31030 (including) | 3.2.0-rev31030 (including) |
| Complete_gallery_manager_plugin | Envato | 3.2.1-rev33197 (including) | 3.2.1-rev33197 (including) |
| Complete_gallery_manager_plugin | Envato | 3.2.2-rev33971 (including) | 3.2.2-rev33971 (including) |
| Complete_gallery_manager_plugin | Envato | 3.2.3-rev34390 (including) | 3.2.3-rev34390 (including) |
| Complete_gallery_manager_plugin | Envato | 3.2.4-rev34757 (including) | 3.2.4-rev34757 (including) |
| Complete_gallery_manager_plugin | Envato | 3.2.5-rev34942 (including) | 3.2.5-rev34942 (including) |
| Complete_gallery_manager_plugin | Envato | 3.2.6-rev36235 (including) | 3.2.6-rev36235 (including) |
| Complete_gallery_manager_plugin | Envato | 3.2.7-rev36257 (including) | 3.2.7-rev36257 (including) |
| Complete_gallery_manager_plugin | Envato | 3.2.8-rev36369 (including) | 3.2.8-rev36369 (including) |
| Complete_gallery_manager_plugin | Envato | 3.3.0-rev36620 (including) | 3.3.0-rev36620 (including) |
| Complete_gallery_manager_plugin | Envato | 3.3.1-rev38906 (including) | 3.3.1-rev38906 (including) |
| Complete_gallery_manager_plugin | Envato | 3.3.2-rev39009 (including) | 3.3.2-rev39009 (including) |
References
- http://archives.neohapsis.com/archives/bugtraq/2013-09/0090.html
- http://codecanyon.net/item/complete-gallery-manager-for-wordpress/2418606
- http://packetstormsecurity.com/files/123303
- http://secunia.com/advisories/54894
- http://www.exploit-db.com/exploits/28377
- http://www.vulnerability-lab.com/get_content.php?id=1080
- https://exchange.xforce.ibmcloud.com/vulnerabilities/87172
- http://archives.neohapsis.com/archives/bugtraq/2013-09/0090.html
- http://codecanyon.net/item/complete-gallery-manager-for-wordpress/2418606
- http://packetstormsecurity.com/files/123303
- http://secunia.com/advisories/54894
- http://www.exploit-db.com/exploits/28377
- http://www.vulnerability-lab.com/get_content.php?id=1080
- https://exchange.xforce.ibmcloud.com/vulnerabilities/87172