CVE-2013-1916
published 2022-06-24CVE-2013-1916: In WordPress Plugin User Photo 0.9.4, when a photo is uploaded, it is only partially validated and it is possible to upload a backdoor on the server hosting…
PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
12.14%
95.6th percentile
In WordPress Plugin User Photo 0.9.4, when a photo is uploaded, it is only partially validated and it is possible to upload a backdoor on the server hosting WordPress. This backdoor can be called (executed) even if the photo has not been yet approved.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| user_photo_project | user_photo | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
47 49 46 38 39 61 14 00 14 00 3C 3F 70 68 70 20 70 68 70 69 6E 66 6F 28 29 3B 20 3F 3E
- →Detect file uploads to the User Photo plugin where the Content-Type header is an image MIME type (e.g. image/gif) but the uploaded file has a .php extension, indicating MIME-type spoofing for webshell upload. ↗
- →Alert on HTTP requests to wp-content/uploads/userphoto/*.php — any PHP file present in this directory indicates a successful webshell upload, even before moderator approval. ↗
- →Detect files beginning with the GIF89a magic bytes (47 49 46 38 39 61) that also contain the PHP open tag sequence (3C 3F 70 68 70) — a classic polyglot GIF/PHP webshell indicator. ↗
- ·getimagesize() only inspects the beginning of the GIF header for dimensions and ignores trailing data, so a PHP payload appended after the header passes validation. ↗
- ·In some server configurations PHP files are interpreted as Unicode (16-bit); the GIF header alignment means this does not block exploitation, but the PHP payload must be written in Unicode in those cases. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2022-06-24
Published