CVE-2014-9521

Name of the Vulnerable Software and Affected Versions InfiniteWP Admin Panel versions prior to 2.4.4

Description The issue allows remote attackers to execute arbitrary code by uploading a file with a double extension and then accessing it via a direct request to the file in the uploads directory. This can be achieved by setting the allWPFiles query parameter in the uploadScript.php file. For example, a file with the .php.swp filename can be used to demonstrate this.

Recommendations For versions prior to 2.4.4, update to version 2.4.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the uploadScript.php file or disabling the file upload functionality until a patch is applied. Avoid using the allWPFiles query parameter in the affected API endpoint until the issue is resolved.