Critical: Remote Command Execution in WordPress Form Manager Plugin (CVE-2015-7806)
Research / Security Alerts / Posted October 23, 2015
On the 9th October researchers at AppCheck discovered a critical Remote Command Execution (RCE) in the popular WordPress plugin Form Manager which allows an attacker with an unprivileged account (including a self-registered account) to execute arbitrary commands on the host. The vulnerability was reported and fixed on the 12th October.
Demonstration Video
See details and a demonstration of the vulnerability here.
Exploit Script
Here is an example exploit script for this vulnerability: wp-forms-manager-CVE-2015-7806.py
Solution
The vulnerability has now been resolved by the developer: please upgrade this module to >= 1.7.3
Get started with Appcheck
No software to download or install.
Contact us or call us 0113 887 8380