CVE-2015-9272 – VideoWhisper Video Presentation <= 4.1.4 - Arbitrary File Upload

https://notcve.org/view.php?id=CVE-2015-9272

The videowhisper-video-presentation plugin 3.31.17 for WordPress allows remote attackers to execute arbitrary code because vp/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code. El plugin videowhisper-video-presentation en su versión 3.31.17 para WordPress permite que los atacantes remotos ejecuten código arbitrario porque vp/vw_upload.php considera que un archivo es seguro cuando "html" son las últimas cuatro letras, tal y como queda demostrado con un archivo .phtml que contiene código PHP. The videowhisper-video-presentation plugin 4.1.4 and below for WordPress allows remote attackers to execute arbitrary code because vp/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code. • http://www.vapidlabs.com/advisory.php?v=117 https://www.openwall.com/lists/oss-security/2015/04/01/2 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •