A critical vulnerability exists in the "Website Contact Form With File Upload" plugin for WordPress, identified as CVE-2015-10137. This flaw allows an unauthenticated attacker to upload malicious files, such as web shells, directly to the server through the contact form. Successful exploitation could result in a complete compromise of the affected website, leading to data theft, website defacement, and further attacks launched from the compromised server.

The vulnerability is an Unrestricted File Upload, stemming from a lack of proper file type validation within the upload_file() function. An unauthenticated remote attacker can craft a request to the contact form's file upload functionality and submit a file with a malicious extension (e.g., .php, .phtml). Because the backend code does not verify that the uploaded file is a benign type (like an image or document), the malicious script is saved to a web-accessible directory on the server. The attacker can then execute the script by navigating to its URL, granting them the ability to run arbitrary code on the server with the privileges of the web service account.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation can lead to a full compromise of the web server, posing a severe risk to the organization. Potential consequences include the theft of sensitive data stored on the website (such as customer information, user credentials, and proprietary business data), reputational damage from website defacement, and financial loss from business disruption or regulatory fines. Furthermore, a compromised server can be used as a pivot point to attack other internal network resources or be leveraged in botnets for broader malicious campaigns.

Immediate Action: Immediately update The Website Contact Form With File Upload plugin for WordPress to the latest version, which contains a patch for this vulnerability. After updating, verify that the patch has been successfully applied and the site is functioning as expected.

Proactive Monitoring: System administrators should actively monitor for signs of compromise. Review web server access logs for unusual POST requests to the contact form's endpoint, followed by GET requests to non-image files (e.g., files with .php extensions) in the WordPress uploads directory. Implement file integrity monitoring to detect the creation of unexpected or malicious files in web-accessible directories.

Compensating Controls: If immediate patching is not feasible, the following controls can reduce risk:

• Disable and deactivate the vulnerable plugin until it can be safely updated.
• Implement a Web Application Firewall (WAF) with rules designed to inspect file uploads and block files with executable extensions.
• Modify web server configuration (e.g., via .htaccess or nginx.conf) to prevent the execution of scripts from the file upload directory.

Public Exploit Available: True

Given the critical CVSS score of 9.8 and the high likelihood of exploitation, immediate action is required. We strongly recommend patching this vulnerability on an emergency basis, bypassing standard change management cycles if necessary. The risk of complete server compromise far outweighs the potential impact of an emergency update. If patching is delayed for any reason, the plugin must be disabled immediately to remove the attack vector while a permanent solution is implemented.