CVE-2014-1905

Published: Dec 29, 2014Modified: May 6, 2026

10.0

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability: 10.0 / Impact: 10.0

Source: NVD

Description

Unrestricted file upload vulnerability in ls/vw_snapshots.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a double extension, and then accessing the file via a direct request to a wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/ pathname, as demonstrated by a .php.jpg filename.

Affected (1)

Products: Videowhisper: Videowhisper Live Streaming Integration

1 product

Videowhisper Live Streaming Integration

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Videowhisper Videowhisper Live Streaming Integration	Up to 4.27.4

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (2)

https://www.htbridge.com/advisory/HTB23199

Source: cve@mitre.org

Exploit

https://www.htbridge.com/advisory/HTB23199

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

Timeline

No history available yet.