CVE-2019-11223

CRITICAL

Supportcandy < 2.0.0 - Unrestricted File Upload

Title source: rule

Description

An Unrestricted File Upload Vulnerability in the SupportCandy plugin through 2.0.0 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension.

Exploits (1)

nomisec WORKING POC 3 stars

by AngelCtulhu · poc

https://github.com/AngelCtulhu/CVE-2019-11223

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://cert.kalasag.com.ph/news/research/vulnerable-wordpress-plugin-lets-you-take-over-websites/

[Product, Third Party Advisory] https://wordpress.org/plugins/supportcandy/#developers

[Third Party Advisory] https://wpvulndb.com/vulnerabilities/9488

[Exploit, Third Party Advisory] https://www.pluginvulnerabilities.com/2019/04/05/arbitrary-file-upload-vulnerability-in-supportcandy/

Scores

CVSS v3 9.8

EPSS 0.4405

EPSS Percentile 97.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

supportcandy/supportcandy < 2.0.0

Published Apr 18, 2019

Tracked Since Feb 18, 2026