cbcvebase.
CVE-2017-6104
published 2017-03-02

CVE-2017-6104: Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0.

PriorityP258high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
7.32%
93.6th percentile
Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
zen_mobile_app_native_projectzen_mobile_app_native<= 3.0
zendkmobileappwordpress_plugin_mobile_app_native_3.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-content/plugins/
command?alien=whoami
command?alien=command
  • Detect arbitrary file upload attempts targeting WordPress plugin directories via HTTP POST, followed by GET requests with shell command query parameter '?alien='
  • Alert on HTTP GET requests containing the query parameter 'alien=' to files within /wp-content/plugins/ — this is the webshell command execution pattern used by this exploit
  • The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type); monitor for file uploads to the Mobile App Native plugin directory
  • The exploit targets the 'Zen App Mobile Native' WordPress plugin (version 3.0) via unauthenticated remote file upload; flag POST requests to plugin upload endpoints without authentication
  • ·The exploit script replaces 'http://example.com/' in the server response to reconstruct the uploaded shell's URL, suggesting the vulnerable plugin echoes back the upload path — response body inspection may aid detection

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.