Unauthorized File Upload Vulnerability in N-Media File Manager

CVE-2016-15042

9.8CRITICAL

Key Information

Vendor: Nmedia
Status: N-media Post Front-end Form; Frontend File Manager Plugin
Vendor: CVE Published:; 16 October 2024

Summary

The Frontend File Manager (versions < 4.0), N-Media Post Front-end Form (versions < 1.1) plugins for WordPress are vulnerable to arbitrary file uploads due to missing file type validation via the `nm_filemanager_upload_file` and `nm_postfront_upload_file` AJAX actions. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

Affected Version(s)

N-Media Post Front-end Form <= 1.0

Frontend File Manager Plugin < 4.0

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Oct 16, 2024
Vulnerability Reserved.
Oct 15, 2024
Disclosed
Jul 16, 2016

Collectors

NVD DatabaseMitre Database