vendor:
Lazy SEO plugin
by:
Ashiyane Digital Security Team
8,8
CVSS
HIGH
Shell Upload Vulnerability
264
CWE
Product Name: Lazy SEO plugin
Affected Version From: 1.1.9
Affected Version To: 1.1.9
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2013
WordPress Lazy SEO plugin Shell Upload Vulnerability
A vulnerability in the Wordpress Lazy SEO plugin allows an attacker to upload a malicious shell to the vulnerable website. By exploiting this vulnerability, an attacker can gain access to the vulnerable website and execute arbitrary code. The vulnerability exists in the lazyseo.php file, which is located in the wp-content/plugins/lazy-seo/ directory. An attacker can exploit this vulnerability by accessing the lazyseo.php file, clicking on the 'Browse...' button, selecting a malicious shell code, and then pressing the 'Enter' button. The malicious shell will then be uploaded to the wp-content/plugins/lazy-seo/ directory, and can be accessed via the Shell.php file.
Mitigation:
Users should update to the latest version of the Wordpress Lazy SEO plugin, which is 1.1.9. Additionally, users should ensure that all plugins are up to date and that they are running the latest version of Wordpress.
