CVE-2013-7102

EXPLOITED IN THE WILD

OptimizePress < 1.60 - Unauthenticated Arbitrary File Upload via Media Upload Endpoints

Title source: llm

Exploitation Summary

CVE-2013-7102 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including United of Muslim Cyber Army, Mekanismen, including a Metasploit module exploits/unix/webapp/wp_optimizepress_upload.

AI-analyzed exploit summary This Metasploit module exploits an insecure file upload vulnerability in the WordPress OptimizePress theme (CVE-2013-7102), allowing arbitrary PHP code execution. It uploads a malicious PHP payload via the media-upload.php component and executes it.

Description

Multiple unrestricted file upload vulnerabilities in (1) media-upload.php, (2) media-upload-lncthumb.php, and (3) media-upload-sq_button.php in lib/admin/ in the OptimizePress theme before 1.61 for WordPress allow remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images_comingsoon, images_lncthumbs, or images_optbuttons in wp-content/uploads/optpress/, as exploited in the wild in November 2013.

Exploits (1)

metasploit WORKING POC EXCELLENT

by United of Muslim Cyber Army, Mekanismen · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_optimizepress_upload.rb

View Code ZIP pw:eip

This Metasploit module exploits an insecure file upload vulnerability in the WordPress OptimizePress theme (CVE-2013-7102), allowing arbitrary PHP code execution. It uploads a malicious PHP payload via the media-upload.php component and executes it.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress OptimizePress Theme <= 1.45

No auth needed

Prerequisites: WordPress with vulnerable OptimizePress theme installed · Access to the media-upload.php endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Various Sources x_refsource_confirm

http://help.optimizepress.com/customer/portal/articles/1381790-important-optimizepress-1-0-security-update

Exploit x_refsource_misc

http://www.osirt.com/2013/11/wordpress-optimizepress-hack-file-upload-vulnerability/

Exploit x_refsource_misc

http://blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2013/Dec/127

Scores

EPSS 0.6332

EPSS Percentile 98.4%

Details

VulnCheck KEV 2013-12-23

InTheWild.io 2013-12-24

CWE

CWE-20

Status published

Products (1)

optimizepress/optimizepress < 1.60

Published Dec 23, 2013

Tracked Since Feb 18, 2026