module
WordPress AIT CSV Import Export Unauthenticated Remote Code Execution
| Disclosed |
|---|
| Nov 14, 2020 |
Disclosed
Nov 14, 2020
Description
The AIT CSV Import/Export plugin execute arbitrary PHP code. The upload-handler does not require authentication, nor validates
the uploaded content. It may return an error when attempting to parse a CSV, however the
uploaded shell is left. The shell is uploaded to wp-content/uploads/. The plugin is not
required to be activated to be exploitable.
the uploaded content. It may return an error when attempting to parse a CSV, however the
uploaded shell is left. The shell is uploaded to wp-content/uploads/. The plugin is not
required to be activated to be exploitable.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.