Remote file upload vulnerabilities in multiple wordpress plugins

["Larry W. Cashdollar" <larry0 () me com>]

Hello,

All of these plugins include unlicensed software developed by http://www.invedion.com/ that is vulnerable, I am unable 
to get 
more details from the vendor as to what the software name and version are and therefor can't issue a CVE for just
that software.  I've issued CVEs for the impacted plugins I know of:

CVE-2017-1002000
Remote file upload vulnerability in Wordpress Plugin mobile-friendly-app-builder-by-easytouch v3.0
Example: http://example.com/wordpress/wp-content/plugins/mobile-friendly-app-builder-by-easytouch/server/images.php
http://www.vapidlabs.com/advisory.php?v=179

CVE-2017-1002001
Remote file upload vulnerability in Wordpress Plugin mobile-app-builder-by-appress v1.05
Example: http://example.com/wordpress/wp-content/plugins/mobile-app-builder-by-wappress/server/images.php
http://www.vapidlabs.com/advisory.php?v=180

CVE-2017-1002002
Remote file upload vulnerability in Wordpress Plugin webapp-builder v2.0
Example: http://example.com/wordpress/wp-content/plugins/webapp-builder/server/images.php
http://www.vapidlabs.com/advisory.php?v=181


CVE-2017-1002003
Remote file upload vulnerability in Wordpress Plugin wp2android-turn-wp-site-into-android-app v1.1.4
Example: http://example.com/wordpress/wp-content/plugins/wp2android-turn-wp-site-into-android-app/server/images.php
http://www.vapidlabs.com/advisory.php?v=182

@muntopia provided an exploit for all of them here:
https://github.com/alienwithin/Scripts-Sploits/blob/master/zen_app_mobile_wp_rfu.py