This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A critical code flaw in the 'Website Contact Form With File Upload' plugin allows **unauthorized file uploads**.β¦
π‘οΈ **Root Cause**: **CWE-434** (Unrestricted Upload of File with Dangerous Type). <br>π **Flaw**: The `upload_file()` function in `classes/plugin.class.php` **lacks file type validation**.β¦
π¦ **Affected Vendor**: N-Media. <br>π¦ **Product**: Website Contact Form With File Upload. <br>π **Versions**: **1.3.4 and earlier**. If you are running this version or older, you are vulnerable.
Q4What can hackers do? (Privileges/Data)
π **Hacker Privileges**: Full **Remote Code Execution**.β¦
π£ **Public Exploit**: **YES**. <br>π **PoC Available**: Public Proof-of-Concepts exist on GitHub and PacketStorm. <br>π **Wild Exploitation**: High risk.β¦
π **Self-Check**: <br>1. Check your WordPress plugins for 'Website Contact Form With File Upload'. <br>2. Verify the version is **β€ 1.3.4**. <br>3. Scan for unauthorized `.php` files in upload directories. <br>4.β¦
π οΈ **Official Fix**: **YES**. <br>π **Mitigation**: Update the plugin to the latest version where file type validation is implemented. The vendor has released patches addressing the missing checks in `upload_file()`.
Q9What if no patch? (Workaround)
π§ **No Patch Workaround**: <br>1. **Disable/Uninstall** the plugin immediately if not needed. <br>2. Restrict upload permissions via `.htaccess` or server config to block `.php` execution in upload folders. <br>3.β¦
β‘ **Urgency**: **CRITICAL**. <br>π΄ **Priority**: **P0**. <br>π’ **Action**: Patch immediately. This is an unauthenticated RCE vulnerability with public exploits.β¦