cbcvebase.
CVE-2017-16949
published 2017-12-19

CVE-2017-16949: An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. Improper input sanitization allows the attacker to…

PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.15%
97.0th percentile
An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. Improper input sanitization allows the attacker to override the settings for allowed file extensions and upload file size, related to inc/cores/file-uploader.php and file-uploader/file-uploader-class.php. This allows the attacker to upload anything they want to the server, as demonstrated by an action=ap_file_upload_action&allowedExtensions[]=php request to /wp-admin/admin-ajax.php that results in a .php file upload and resultant PHP code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
accesspressthemesanonymous_post_pro<= 3.1.9

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=ap_file_upload_action&allowedExtensions[]=php
pathinc/cores/file-uploader.php
pathfile-uploader/file-uploader-class.php
  • Monitor POST requests to /wp-admin/admin-ajax.php containing the parameter 'action=ap_file_upload_action' combined with 'allowedExtensions[]=php' (or other executable extensions), which indicates an attempt to override the plugin's file extension whitelist.
  • Alert on .php (or other server-side script) files uploaded via the AccessPress Anonymous Post Pro plugin upload handler; the attacker supplies allowedExtensions[] in the POST body to bypass the server-side extension check.
  • Inspect multipart/form-data POST bodies to admin-ajax.php for user-supplied 'allowedExtensions' array parameters, which should never be accepted from client input in this plugin.
  • ·The vulnerability affects AccessPress Anonymous Post Pro plugin through version 3.1.9; ensure detection rules are scoped to sites running this plugin version range.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.