cbcvebase.
CVE-2013-1916
published 2022-06-24

CVE-2013-1916: In WordPress Plugin User Photo 0.9.4, when a photo is uploaded, it is only partially validated and it is possible to upload a backdoor on the server hosting…

PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
12.14%
95.6th percentile
In WordPress Plugin User Photo 0.9.4, when a photo is uploaded, it is only partially validated and it is possible to upload a backdoor on the server hosting WordPress. This backdoor can be called (executed) even if the photo has not been yet approved.

Affected

1 ranges
VendorProductVersion rangeFixed in
user_photo_projectuser_photo

Detection & IOCsextracted from sources · hover to see the quote

pathwp-content/uploads/userphoto/<username>.php
urlinurl:"/wp-content/uploads/userphoto/"
bytes
47 49 46 38 39 61 14 00 14 00 3C 3F 70 68 70 20 70 68 70 69 6E 66 6F 28 29 3B 20 3F 3E
  • Detect file uploads to the User Photo plugin where the Content-Type header is an image MIME type (e.g. image/gif) but the uploaded file has a .php extension, indicating MIME-type spoofing for webshell upload.
  • Alert on HTTP requests to wp-content/uploads/userphoto/*.php — any PHP file present in this directory indicates a successful webshell upload, even before moderator approval.
  • Detect files beginning with the GIF89a magic bytes (47 49 46 38 39 61) that also contain the PHP open tag sequence (3C 3F 70 68 70) — a classic polyglot GIF/PHP webshell indicator.
  • ·getimagesize() only inspects the beginning of the GIF header for dimensions and ignores trailing data, so a PHP payload appended after the header passes validation.
  • ·In some server configurations PHP files are interpreted as Unicode (16-bit); the GIF header alignment means this does not block exploitation, but the PHP payload must be written in Unicode in those cases.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.