CVE-2015-10137

CriticalPublic PoC

Published: 22 July 2025

Published

22 July 2025

Modified

16 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.6747 98.6th percentile

Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-10137 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Najeebmedia Website Contact Form With File Upload. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the missing file type validation in the upload_file() function by requiring validation mechanisms at information input points.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like this arbitrary file upload vulnerability in the WordPress plugin up to version 1.3.4.

SI-3 Malicious Code Protection partial match

preventdetect

Malicious code protection mechanisms scan and block potentially dangerous uploaded files, mitigating RCE from arbitrary uploads.

NVD Description

The Website Contact Form With File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_file()' function in versions up to, and including, 1.3.4. This makes it possible for unauthenticated attackers…

to upload arbitrary files on the affected sites server which may make remote code execution possible.

Deeper analysisAI

CVE-2015-10137 is an arbitrary file upload vulnerability in the Website Contact Form With File Upload plugin for WordPress, affecting versions up to and including 1.3.4. The issue stems from missing file type validation in the upload_file() function, which allows attackers to upload arbitrary files directly to the affected site's server. This flaw is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By submitting malicious files through the plugin's contact form upload feature, they can place arbitrary content on the server, potentially achieving remote code execution if the uploaded files are web-accessible scripts, such as PHP shells.

Advisories from sources like Packet Storm Security and Acunetix detail the vulnerability, with references to the plugin's WordPress Trac repository (including readme.txt) indicating that sites should update to a version beyond 1.3.4 to mitigate the issue, as the flaw is present in all prior releases.