CVE-2017-1002002 – Webapp builder 2.0 - Arbitrary File Upload

https://notcve.org/view.php?id=CVE-2017-1002002

Vulnerability in wordpress plugin webapp-builder v2.0, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com/ Existe una vulnerabilidad en el plugin webapp-builder v2.0 de WordPress. Este plugin incluye software CMS vulnerable sin licencia de http://www.invedion.com/. The Webapp builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the via the ./webapp-builder/server/images.php file in version 2.0. This makes it possible for attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. • https://www.exploit-db.com/exploits/41540 http://www.securityfocus.com/bid/96906 http://www.vapidlabs.com/advisory.php?v=181 https://wordpress.org/plugins-wp/webapp-builder • CWE-434: Unrestricted Upload of File with Dangerous Type •