CVE-2013-7102

EXPLOITED IN THE WILD

OptimizePress <1.61 - RCE

Title source: llm

Description

Multiple unrestricted file upload vulnerabilities in (1) media-upload.php, (2) media-upload-lncthumb.php, and (3) media-upload-sq_button.php in lib/admin/ in the OptimizePress theme before 1.61 for WordPress allow remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images_comingsoon, images_lncthumbs, or images_optbuttons in wp-content/uploads/optpress/, as exploited in the wild in November 2013.

Exploits (1)

metasploit WORKING POC EXCELLENT

by United of Muslim Cyber Army, Mekanismen · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_optimizepress_upload.rb

View Code ZIP pw:eip

References (4)

[Exploit] http://blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html

[Various Sources] http://help.optimizepress.com/customer/portal/articles/1381790-important-optimizepress-1-0-security-update

[Mailing List] http://seclists.org/fulldisclosure/2013/Dec/127

[Exploit] http://www.osirt.com/2013/11/wordpress-optimizepress-hack-file-upload-vulnerability/

Scores

EPSS 0.6332

EPSS Percentile 98.4%

Details

VulnCheck KEV 2013-12-23

InTheWild.io 2013-12-24

CWE

CWE-20

Status published

Products (1)

optimizepress/optimizepress < 1.60

Published Dec 23, 2013

Tracked Since Feb 18, 2026