CVE-2017-16949

Name of the Vulnerable Software and Affected Versions AccessKeys AccessPress Anonymous Post Pro plugin versions through 3.1.9

Description The issue is related to improper input sanitization, allowing an attacker to override settings for allowed file extensions and upload file size. This is due to vulnerabilities in the inc/cores/file-uploader.php and file-uploader/file-uploader-class.php files. An attacker can upload any file to the server, including .php files, by sending a request to the "action=ap file upload action&allowedExtensions[]=php" endpoint at "/wp-admin/admin-ajax.php", resulting in PHP code execution.

Recommendations For AccessKeys AccessPress Anonymous Post Pro plugin versions through 3.1.9, update to a version later than 3.1.9 to resolve the issue.