CVE-2015-1172 - Unrestricted file upload vulnerability in admin/upload-file.php in the Holding Pattern theme (aka ho

CVE-2015-1172

Summary

Unrestricted file upload vulnerability in admin/upload-file.php in the Holding Pattern theme (aka holding_pattern) 0.6 and earlier for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in an unspecified directory. <a href="http://cwe.mitre.org/data/definitions/434.html">CWE-434: Unrestricted Upload of File with Dangerous Type</a>

References

Vulnerable Configurations

cpe:2.3:a:holding_pattern_project:holding_pattern:0.6:*:*:*:*:wordpress:*:*
cpe:2.3:a:holding_pattern_project:holding_pattern:0.6:*:*:*:*:wordpress:*:*

CVSS

Base:	7.5 (as of 17-07-2017 - 13:18)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

d2sec via4

name	WordPress Holding Pattern Theme 0.6 File Upload
url	http://www.d2sec.com/exploits/wordpress_holding_pattern_theme_0.6_file_upload.html

refmap via4

bid	72546
misc	http://packetstormsecurity.com/files/130282/WordPress-Holding-Pattern-0.6-Shell-Upload.html https://wpvulndb.com/vulnerabilities/7784

Last major update

17-07-2017 - 13:18

Published

11-02-2015 - 19:59

Last modified

17-07-2017 - 13:18