CVE-2009-3890

WordPress < 2.8.5 - Authenticated Remote Code Execution via Multiple-Extension Filename Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-3890. PoCs published by Dawid Golunski.

AI-analyzed exploit summary This exploit demonstrates an unrestricted file upload vulnerability in WordPress <= 2.8.5, allowing arbitrary PHP code execution by uploading a file with a '.php.jpg' extension, bypassing MIME type checks due to Apache's handling of multiple extensions.

Description

Unrestricted file upload vulnerability in the wp_check_filetype function in wp-includes/functions.php in WordPress before 2.8.6, when a certain configuration of the mod_mime module in the Apache HTTP Server is enabled, allows remote authenticated users to execute arbitrary code by posting an attachment with a multiple-extension filename, and then accessing this attachment via a direct request to a wp-content/uploads/ pathname, as demonstrated by a .php.jpg filename.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Dawid Golunski · textwebappsphp

https://www.exploit-db.com/exploits/10089

View Code ZIP pw:eip

This exploit demonstrates an unrestricted file upload vulnerability in WordPress <= 2.8.5, allowing arbitrary PHP code execution by uploading a file with a '.php.jpg' extension, bypassing MIME type checks due to Apache's handling of multiple extensions.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress <= 2.8.5

Auth required

Prerequisites: Valid WordPress user credentials · Access to the WordPress media upload feature

MITRE ATT&CK