Cyber Resilience

CVE-2015-10137

CriticalPublic PoC

Published: 22 July 2025

Published
22 July 2025
Modified
16 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7921 99.1th percentile
Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-10137 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Najeebmedia Website Contact Form With File Upload. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2015-10137 is an arbitrary file upload vulnerability in the Website Contact Form With File Upload plugin for WordPress, affecting versions up to and including 1.3.4. The issue stems from missing file type validation in the upload_file() function, which allows attackers to upload arbitrary files directly to the affected site's server. This flaw is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By submitting malicious files through the plugin's contact form upload feature, they can place arbitrary content on the server, potentially achieving remote code execution if the uploaded files are web-accessible scripts, such as PHP shells.

Advisories from sources like Packet Storm Security and Acunetix detail the vulnerability, with references to the plugin's WordPress Trac repository (including readme.txt) indicating that sites should update to a version beyond 1.3.4 to mitigate the issue, as the flaw is present in all prior releases.

EU & UK References

Vulnerability details

The Website Contact Form With File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_file()' function in versions up to, and including, 1.3.4. This makes it possible for unauthenticated attackers…

more

to upload arbitrary files on the affected sites server which may make remote code execution possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload in public-facing WordPress plugin directly enables exploitation of public-facing app and deployment of web shell for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434
CVE-2020-36847Shared CWE-434

Affected Assets

najeebmedia
website contact form with file upload
≤ 1.3.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the missing file type validation in the upload_file() function by requiring validation mechanisms at information input points.

prevent

Requires timely identification, reporting, and correction of flaws like this arbitrary file upload vulnerability in the WordPress plugin up to version 1.3.4.

preventdetect

Malicious code protection mechanisms scan and block potentially dangerous uploaded files, mitigating RCE from arbitrary uploads.

References