This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Unrestricted file upload in WordPress Plugin Moveto. <br>π₯ **Consequences**: Attackers can upload malicious files (e.g., webshells).β¦
π‘οΈ **CWE**: CWE-434 (Unrestricted Upload of File with Dangerous Type). <br>π **Flaw**: The plugin fails to validate file types/extensions during upload. <br>β οΈ **Root**: Dangerous file types are not restricted.
Q3Who is affected? (Versions/Components)
π’ **Vendor**: Skymoonlabs. <br>π¦ **Product**: MoveTo (WordPress Plugin). <br>π **Affected**: Version **6.2** and earlier versions.
Q4What can hackers do? (Privileges/Data)
π **Privileges**: Unauthenticated access required. <br>π **Data**: Can upload arbitrary files. <br>π» **Action**: Execute code on the server via uploaded scripts.
π **Public Exp?**: No specific PoC code provided in data. <br>π **Wild Exp**: Likely easy to exploit due to low barrier. <br>π **Ref**: Patchstack advisory available.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for Moveto plugin version β€ 6.2. <br>π **Feature**: Look for file upload endpoints. <br>π§ͺ **Test**: Attempt to upload non-image files (e.g., .php).
Q8Is it fixed officially? (Patch/Mitigation)
π οΈ **Fix**: Update to version **> 6.2**. <br>π’ **Source**: Vendor patch available via Patchstack. <br>β **Status**: Official fix exists.
Q9What if no patch? (Workaround)
π« **Workaround**: Disable the plugin if not used. <br>π‘οΈ **WAF**: Block upload requests with dangerous extensions. <br>π **Perms**: Restrict upload directory execution permissions.