Description
Unrestricted file upload vulnerability in uploadScript.php in InfiniteWP Admin Panel before 2.4.4, when the allWPFiles query parameter is set, allows remote attackers to execute arbitrary code by uploading a file with a double extension, then accessing it via a direct request to the file in the uploads directory, as demonstrated by the .php.swp filename.
References (2)
Core 2
Core References
Various Sources x_refsource_misc
https://lifeforms.nl/20141210/infinitewp-vulnerabilities/
Mailing List mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Dec/43
Scores
EPSS
0.0233
EPSS Percentile
81.4%
Details
CWE
CWE-94
Status
published
Products (1)
infinitewp/infinitewp
< 2.4.3
Published
Jan 05, 2015
Tracked Since
Feb 18, 2026