PT-2012-5016 · WordPress · Font Uploader

Sammy Forgit

Published

2012-06-27

Updated

2012-06-28

CVE-2012-3814

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Font Uploader plugin version 1.2.4

Description The issue allows remote attackers to execute arbitrary PHP code by uploading a PHP file with a .php.ttf extension to the font-upload.php file in the Font Uploader plugin, and then accessing it via a direct request to the file in font-uploader/fonts.

Recommendations For Font Uploader plugin version 1.2.4, consider removing or restricting access to the font-upload.php file until a patch is available, and avoid using the file upload functionality in the plugin to minimize the risk of exploitation.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264

Related Identifiers

CVE-2012-3814

Affected Products

Font Uploader

PT-2012-5016 · WordPress · Font Uploader

CVE-2012-3814

Weakness Enumeration

Related Identifiers

Affected Products

References · 6