CVE-2015-10137

Published: Jul 22, 2025Modified: Dec 16, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: security@wordfence.com (Secondary)

Description

The Website Contact Form With File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_file()' function in versions up to, and including, 1.3.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

Affected (1)

Products: Najeebmedia: Website Contact Form With File Upload

1 product

Website Contact Form With File Upload

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Najeebmedia Website Contact Form With File Upload	Up to 1.3.4

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (7)

https://packetstormsecurity.com/files/131413/

Source: security@wordfence.com

Exploit

https://packetstormsecurity.com/files/131514/

Source: security@wordfence.com

Exploit

https://plugins.trac.wordpress.org/browser/website-contact-form-with-file-upload/trunk/readme.txt

Source: security@wordfence.com

Release Notes

https://plugins.trac.wordpress.org/browser/website-contact-form-with-file-upload/trunk/readme.txt#L147

Source: security@wordfence.com

Release Notes

https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-n-media-website-contact-form-with-file-upload-arbitrary-file-upload-1-3-4/

Source: security@wordfence.com

Technical Description

https://www.homelab.it/index.php/2015/04/12/wordpress-n-media-website-contact-form-shell-upload/

Source: security@wordfence.com

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/8395e0c4-3feb-4551-9f2f-7b80cd187eca?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.