After discovering an arbitrary file upload vulnerability in the plugin N-Media Post Front-end Form recently, we took a look at other plugins from the same developer and found that three other shared same the same vulnerable code. One of those is N-Media Website Contact Form with File Upload.

In the case of this plugin, we found that we had already had a listing for a very similar looking vulnerability for the plugin already in our dataset. Our first thought was that we had mistakenly marked that one as being fixed when we added it to our data and the vulnerability had never been fixed, but a closer looked showed what had happened. After the previously issue was discovered the following code was added to restrict .php files being uploaded: [Read more]