Vulnerability CVE-2007-3543

Vulnerability Name:

CVE-2007-3543 (CCN-35061)

Assigned:

2007-06-23

Published:

2007-06-23

Updated:

2008-11-15

Summary:

Unrestricted file upload vulnerability in WordPress before 2.2.1 and WordPress MU before 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code by making a post that specifies a .php filename in the _wp_attached_file metadata field; and then sending this file's content, along with its post_ID value, to (1) wp-app.php or (2) app.php.
Successful exploitation requires valid Editor credentials and that the system is configured to allow uploads.

CVSS v3 Severity:

4.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

6.0 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P)
4.7 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.6 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:P/I:P/A:P)
3.6 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-Other

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2007-3543

Source: MITRE
Type: CNA
CVE-2007-3544

Source: CCN
Type: WordPress multi-user (MU) Web site
WordPress MU > Home

Source: OSVDB
Type: UNKNOWN
37295

Source: CCN
Type: SA25794
WordPress Custom Field PHP Script Upload

Source: SECUNIA
Type: Vendor Advisory
25794

Source: CONFIRM
Type: UNKNOWN
http://trac.mu.wordpress.org/changeset/1005

Source: CCN
Type: WordPress Web site
WordPress › Blog Tool and Weblog Platform

Source: CCN
Type: Buayacorp Web site
Arbitrary File Upload Vulnerability in WordPress and WordPress MU

Source: MISC
Type: UNKNOWN
http://www.buayacorp.com/files/wordpress/wordpress-advisory.html

Source: CCN
Type: OSVDB ID: 37294
WordPress / MU Multiple Script Unrestricted File Upload

Source: CCN
Type: OSVDB ID: 37295
WordPress / MU _wp_attached_file Metadata Unrestricted File Upload

Source: BID
Type: UNKNOWN
24642

Source: CCN
Type: BID-24642
WordPress Custom Field Arbitrary File Upload Vulnerability

Source: XF
Type: UNKNOWN
wordpress-wpapp-file-upload(35061)

Vulnerable Configuration:

Configuration 1:

cpe:/a:wordpress:wordpress:*:*:*:*:*:*:*:* (Version <= 2.2.0)

OR cpe:/a:wordpress:wordpress_mu:*:*:*:*:*:*:*:* (Version <= 1.2.2)

Configuration CCN 1:

cpe:/a:wordpress:wordpress:2.2:-:*:*:*:*:*:*

Denotes that component is vulnerable

BACK