At 4:35EST, 8/16, we disclosed two (2) critical vulnerabilities to a Edgewood Properties of New Jersey, USA.
Pursuant to our Disclosure Policy, this began a 30 day suspension period in which this report was anonymized, with timeline-d updates, as we waited for this organization to investigate further and/or disprove this vulnerability. This organization refused to acknowledge, which leaves it's residents and potential customers potentially vulnerable.
Vulnerability: Unrestricted File Upload
Cause: Out-of-Date Dependance
Severity: CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Location: https://www.edgewoodproperties.com
Summary: WordPress Contact Form 7 before 5.3.2 allows unrestricted file upload and remote code execution because a filename may contain special characters. We've detected this site utilizing v5.1.6
References: CVE-2020-35489 CWE-434
Vulnerability: Unrestricted File Upload
Cause: Out-of-Date Dependance
Severity: CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Location: https://risk-management.edgewoodproperties.com
Summary: WordPress Contact Form 7 before 5.3.2 allows unrestricted file upload and remote code execution because a filename may contain special characters. We've detected this site utilizing v5.1.6
References: CVE-2020-35489 CWE-434
