vulnerability
WordPress Plugin: accesspress-anonymous-post-pro: CVE-2017-16949: Unrestricted Upload of File with Dangerous Type
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Dec 19, 2017 | May 15, 2025 | Jun 24, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Dec 19, 2017
Added
May 15, 2025
Modified
Jun 24, 2025
Description
An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. Improper input sanitization allows the attacker to override the settings for allowed file extensions and upload file size, related to inc/cores/file-uploader.php and file-uploader/file-uploader-class.php. This allows the attacker to upload anything they want to the server, as demonstrated by an actionequal toap_file_upload_actionandallowedExtensions[]equal tophp request to /wp-admin/admin-ajax.php that results in a .php file upload and resultant PHP code execution.
Solution
accesspress-anonymous-post-pro-plugin-cve-2017-16949
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.