← Back

CVE-2015-10138

nvd nist
Published: Jul 19, 2025Modified: Dec 16, 2025

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: security@wordfence.com (Secondary)

Description

The Work The Flow File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jQuery-File-Upload-9.5.0 server and test files in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

Affected (1)

Lynton Reed
1 product
Work The Flow File Upload
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Work The Flow File Upload
Up to 2.5.2

Related CWEs

CWE-434
Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (9)

Source: security@wordfence.com
Exploit
Source: security@wordfence.com
Exploit
Source: security@wordfence.com
Patch
Source: security@wordfence.com
Patch
Source: security@wordfence.com
Third Party Advisory
Source: security@wordfence.com
Third Party Advisory
Source: security@wordfence.com
ExploitThird Party Advisory
Source: security@wordfence.com
Third Party Advisory
Source: security@wordfence.com
Third Party Advisory

Timeline

No history available yet.