Critical: Remote Command Execution in WordPress Form Manager Plugin (CVE-2015-7806)

On the 9th October researchers at AppCheck discovered a critical Remote Command Execution (RCE) in the popular WordPress plugin Form Manager which allows an attacker with an unprivileged account (including a self-registered account) to execute arbitrary commands on the host.  The vulnerability was reported and fixed on the 12th October.

 

Demonstration Video

See details and a demonstration of the vulnerability here.

 

Exploit Script

Here is an example exploit script for this vulnerability: wp-forms-manager-CVE-2015-7806.py

 

Solution

The vulnerability has now been resolved by the developer: please upgrade this module to >= 1.7.3

Get started with Appcheck

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial