N-Media file uploader vulnerability in handling uploaded files


N-Media file uploader is a plugin for WordPress. N-Media file uploader contains a vulnerability (CWE-264) in the way it handles uploaded files. As a result, an arbitrary PHP script which is uploaded may be executed.

Yuji Tounai of bogus.jp reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

  • N-Media file uploader versions prior to 3.4


A user with "Author" privileges and above may execute an arbitrary command on the server.

[Update the software]
Update to the latest version according to the information provided by the developer and modify the settings for file types that are allowed to be uploaded.
Vendor Information

CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-5324

  1. JVN : JVN#87863382
  2. National Vulnerability Database (NVD) : CVE-2014-5324
Revision History

  • [2014/09/25]
      Web page was published
       References : Content was added