Arbitrary File Upload Vulnerability in Infusionsoft Gravity Forms Plugin for WordPress
CVE-2014-6446

Currently unrated

Key Information:

Vendor: Wordpress
Status: Infusionsoft Gravity Forms
Vendor: CVE Published:; 26 September 2014

Summary

The Infusionsoft Gravity Forms plugin versions 1.5.3 through 1.5.10 for WordPress suffers from a security vulnerability that allows remote attackers to upload arbitrary files. This exploitation can enable the execution of malicious PHP code through the utilities/code_generator.php script, thereby compromising the integrity of the affected WordPress site. Proper access control measures were not implemented, making it essential for users to update their installations to secure their environments.

References

http://packetstormsecurity.com/files/131002/Wordpress-Inf...

x_refsource_MISC

http://www.exploit-db.com/exploits/34925

exploitx_refsource_EXPLOIT-DB

https://wordpress.org/plugins/infusionsoft/changelog/

x_refsource_CONFIRM

EPSS Score

80% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Sep 26, 2014
Vulnerability Reserved
Sep 16, 2014