CVE-2016-10959

Name of the Vulnerable Software and Affected Versions Estatik plugin versions prior to 2.3.1 for WordPress

Description The issue concerns an authenticated arbitrary file upload, which is also exploitable with CSRF, via the es media images[] parameter to the "wp-admin/admin-ajax.php" API endpoint.

Recommendations For versions prior to 2.3.1, update to version 2.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-admin/admin-ajax.php" API endpoint or disabling the es media images[] parameter to minimize the risk of exploitation.