Website Baker Media Upload Extension Validation Arbitrary Code Execution
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
Website Baker contains a flaw that may allow a malicious user to remotely upload arbitrary files. The issue is due to a lack of sanitization on the media files that are uploaded in the script "admin/media/index.php". When uploading a file, it is possible to upload a file with a crafted file extension that will be executed instead of processed as an image or other media file.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.