Title: WordPress Instant Image Generator (One Click Image Uploads from Pixabay, Pexels and OpenAI) plugin <= 1.5.4 – Arbitrary File Upload vulnerability
Published Date: Nov 14, 2024
Risk Index: 4.96 of 10 (Medium)
Summary: A critical vulnerability has been identified in the Instant Image Generator plugin of WordPress, specifically in the component responsible for handling image uploads. This vulnerability allows an attacker to upload malicious files to the web server.
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data by uploading and executing arbitrary malicious scripts on the affected server. This can lead to a complete compromise of the web server, unauthorized access to the internal network, and exfiltration or destruction of data.
Title: WordPress kineticPay for WooCommerce plugin <= 2.0.8 – Arbitrary File Upload vulnerability
Published Date: Nov 14, 2024
Risk Index: 4.96 of 10 (Medium)
Summary: A critical vulnerability has been identified in the XML parser component of Kinetic Innovative Technologies Sdn Bhd’s kineticPay for WooCommerce plugin, which allows the unrestricted upload of files with dangerous types, specifically enabling the upload of a web shell to a web server.
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected system. The attacker can manipulate server files, shell environments, execute commands remotely, escalate privileges, and carry out other malicious activities, severely compromising the privacy and security of the web server and its hosted applications.
Title: Arbitrary file upload in SugarCRM
Published Date: Dec 30, 2012
Risk Index: 9.77 of 10 (Critical)
Summary: A critical vulnerability has been identified in the EmailTemplates component of SugarCRM, a customer relationship management system. A crafted request can inject custom PHP code due to missing input validation.
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data, execute arbitrary code, and potentially compromise the entire affected system. The attacker can embed malicious code in a seemingly harmless file, which, when executed, can provide full control over the server.