The Website Contact Form With File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upl...
Description
The Website Contact Form With File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_file()' function in versions up to, and includ...
AI Analyst Comment
Remediation
Update The Website Contact Form With File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Executive Summary:
A critical vulnerability exists in the "Website Contact Form With File Upload" plugin for WordPress, identified as CVE-2015-10137. This flaw allows an unauthenticated attacker to upload malicious files, such as web shells, directly to the server through the contact form. Successful exploitation could result in a complete compromise of the affected website, leading to data theft, website defacement, and further attacks launched from the compromised server.
Vulnerability Details
CVE-ID: CVE-2015-10137
Affected Software: The Website Contact Form With File Upload plugin for WordPress
Affected Versions: Versions up to and including an unspecified version are affected. See vendor advisory for specific affected versions.
Vulnerability: The vulnerability is an Unrestricted File Upload, stemming from a lack of proper file type validation within the
upload_file()function. An unauthenticated remote attacker can craft a request to the contact form's file upload functionality and submit a file with a malicious extension (e.g.,.php,.phtml). Because the backend code does not verify that the uploaded file is a benign type (like an image or document), the malicious script is saved to a web-accessible directory on the server. The attacker can then execute the script by navigating to its URL, granting them the ability to run arbitrary code on the server with the privileges of the web service account.Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation can lead to a full compromise of the web server, posing a severe risk to the organization. Potential consequences include the theft of sensitive data stored on the website (such as customer information, user credentials, and proprietary business data), reputational damage from website defacement, and financial loss from business disruption or regulatory fines. Furthermore, a compromised server can be used as a pivot point to attack other internal network resources or be leveraged in botnets for broader malicious campaigns.
Remediation Plan
Immediate Action: Immediately update The Website Contact Form With File Upload plugin for WordPress to the latest version, which contains a patch for this vulnerability. After updating, verify that the patch has been successfully applied and the site is functioning as expected.
Proactive Monitoring: System administrators should actively monitor for signs of compromise. Review web server access logs for unusual POST requests to the contact form's endpoint, followed by GET requests to non-image files (e.g., files with
.phpextensions) in the WordPress uploads directory. Implement file integrity monitoring to detect the creation of unexpected or malicious files in web-accessible directories.Compensating Controls: If immediate patching is not feasible, the following controls can reduce risk:
.htaccessornginx.conf) to prevent the execution of scripts from the file upload directory.Exploitation Status
Public Exploit Available: True
Analyst Notes: As of Jul 22, 2025, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. However, vulnerabilities of this type (unrestricted file upload in WordPress plugins) are trivial to exploit and are frequently targeted by automated scanning tools. The availability of public proof-of-concept code makes it highly likely that opportunistic attackers are actively searching for and exploiting unpatched instances.
Analyst Recommendation
Given the critical CVSS score of 9.8 and the high likelihood of exploitation, immediate action is required. We strongly recommend patching this vulnerability on an emergency basis, bypassing standard change management cycles if necessary. The risk of complete server compromise far outweighs the potential impact of an emergency update. If patching is delayed for any reason, the plugin must be disabled immediately to remove the attack vector while a permanent solution is implemented.