ThreatPress

WordPress Vulnerability Database

Back

WordPress Augmented Reality plugin <= 1.2.0 - Unauthenticated PHP File Upload leading to Remote Code Execution (RCE) vulnerability

Product
Augmented Reality
Description
Unauthenticated PHP File Upload leading to Remote Code Execution (RCE) vulnerability found by Robert Wiggins in WordPress Augmented Reality plugin (versions <= 1.2.0).
Solution
Note from wordpress.org plugin repository: This plugin has been closed as of September 3, 2020 and is not available for download. Reason: Security Issue.
Classification
Type Arbitrary File Upload
OWASP Top 10 A1: Injection
References
Plugin changelog
CVE
Name CVE-N/A
Versions
Affected In <= 1.2.0
Fixed In 1.2.1
Disclosure date
2020-11-05
Credits
Robert Wiggins