CVE-2019-25296

Name of the Vulnerable Software and Affected Versions WP Cost Estimation versions up to and including 9.642

Description The WP Cost Estimation plugin for WordPress is affected by a flaw allowing arbitrary file uploads and deletion. This is due to a lack of file type validation in the lfb upload form and lfb removeFile AJAX actions. An unauthenticated attacker can upload arbitrary files to the affected server, potentially leading to remote code execution. The attacker can also delete files, including database configuration files, and replace them with their own.

Recommendations Update WP Cost Estimation to a version beyond 9.642.