Critical: Remote Command Execution in WordPress Form Manager Plugin (CVE-2015-7806)

On the 9th October researchers at AppCheck NG discovered a critical Remote Command Execution (RCE) in the popular WordPress plugin Form Manager which allows an attacker with an unprivileged account (including a self-registered account) to execute arbitrary commands on the host. The vulnerability was reported and fixed on the 12th October.

On the 9th October researchers at AppCheck discovered a critical Remote Command Execution (RCE) in the popular WordPress plugin Form Manager which allows an attacker with an unprivileged account (including a self-registered account) to execute arbitrary commands on the host.  The vulnerability was reported and fixed on the 12th October.

 

Demonstration Video

See details and a demonstration of the vulnerability here.

 

Exploit Script

Here is an example exploit script for this vulnerability: wp-forms-manager-CVE-2015-7806.py

 

Solution

The vulnerability has now been resolved by the developer: please upgrade this module to >= 1.7.3

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

Start your free trial

Further Reading

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorised by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA)

Put us to the test.
Try AppCheck for free

No software to download or install.
Contact us or call us 0113 887 8380
Start your free trial
"AppCheck’s coverage is extensive, ensuring that no area is left unaddressed, even in complex architectures with intricate authentication systems."
"Gone are the weeks of liaising with vendors and honing scan profiles to produce a once a year report. Regular automated scheduled scans means we can relax while AppCheck does the heavy lifting."
"Comprehensive, competitively priced, easy to use tool with simple onboarding and excellent support."
"Their support team offer useful guidance on getting the best out of the tool, as well as keeping us updated with the latest threats and security news."
"Comprehensive, competitively priced, easy to use tool with simple onboarding and excellent support."
"The detailed reports and actionable insights provided have proven invaluable in enhancing our overall security posture. Highly recommended for robust and effective security assessments."
"The competence of its results truly stands out when compared to other scanners I've used in the past and even manual penetration tests. It’s very user-friendly too for such a complex tool."
"When we compared AppCheck against a team of manual penetration testers, AppCheck identified all of the same vulnerabilities, plus an additional three critical vulnerabilities and did so in under half the time."
Services
Company
Resources
Keep in touch

AppCheck Ltd. is a company registered in England and Wales with company number 06888174

Start your free trial

Simply complete the form and we’ll send you all you need to activate AppCheck and undertake your FREE scan.
Your details
IP Addresses
URLs

Get in touch