CVE-2015-10137
Published: 22 July 2025
Summary
CVE-2015-10137 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Najeebmedia Website Contact Form With File Upload. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2015-10137 is an arbitrary file upload vulnerability in the Website Contact Form With File Upload plugin for WordPress, affecting versions up to and including 1.3.4. The issue stems from missing file type validation in the upload_file() function, which allows attackers to upload arbitrary files directly to the affected site's server. This flaw is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By submitting malicious files through the plugin's contact form upload feature, they can place arbitrary content on the server, potentially achieving remote code execution if the uploaded files are web-accessible scripts, such as PHP shells.
Advisories from sources like Packet Storm Security and Acunetix detail the vulnerability, with references to the plugin's WordPress Trac repository (including readme.txt) indicating that sites should update to a version beyond 1.3.4 to mitigate the issue, as the flaw is present in all prior releases.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-9399
Vulnerability details
The Website Contact Form With File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_file()' function in versions up to, and including, 1.3.4. This makes it possible for unauthenticated attackers…
more
to upload arbitrary files on the affected sites server which may make remote code execution possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing WordPress plugin directly enables exploitation of public-facing app and deployment of web shell for RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the missing file type validation in the upload_file() function by requiring validation mechanisms at information input points.
Requires timely identification, reporting, and correction of flaws like this arbitrary file upload vulnerability in the WordPress plugin up to version 1.3.4.
Malicious code protection mechanisms scan and block potentially dangerous uploaded files, mitigating RCE from arbitrary uploads.