CVE-2014-10021

EXPLOITED

WP Symposium 14.11 - Unauthenticated Arbitrary File Upload via UploadHandler.php

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2014-10021 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Metasploit, Claudio Viviani, Claudio Viviani, rastating, including a Metasploit module exploits/unix/webapp/wp_symposium_shell_upload.

AI-analyzed exploit summary This Metasploit module exploits a file upload vulnerability in WordPress WP Symposium plugin (CVE-2014-10021) to achieve remote code execution by uploading a malicious PHP payload. The exploit leverages improper file sanitization in the file_upload_form.php script.

Description

Unrestricted file upload vulnerability in UploadHandler.php in the WP Symposium plugin 14.11 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in server/php/.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/35778

This Metasploit module exploits a file upload vulnerability in WordPress WP Symposium plugin (CVE-2014-10021) to achieve remote code execution by uploading a malicious PHP payload. The exploit leverages improper file sanitization in the file_upload_form.php script.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress WP Symposium < 14.12
No auth needed
Prerequisites: Target running vulnerable WP Symposium plugin · Network access to WordPress instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Claudio Viviani · pythonwebappsphp
https://www.exploit-db.com/exploits/35543

This exploit targets a file upload vulnerability in WordPress WP Symposium 14.11, allowing arbitrary file uploads via an unprotected endpoint. It bypasses extension checks by leveraging a vulnerable upload handler.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress WP Symposium 14.11
No auth needed
Prerequisites: Target must have WP Symposium 14.11 installed · Upload endpoint must be accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Claudio Viviani, rastating · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_symposium_shell_upload.rb

This Metasploit module exploits a file upload vulnerability in WP Symposium plugin for WordPress, allowing arbitrary PHP code execution by uploading a malicious PHP file and accessing it directly.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress WP Symposium < 14.12
No auth needed
Prerequisites: Target running vulnerable WP Symposium plugin · Access to the WordPress plugin upload endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/35543
Broken Link vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/71686

Scores

EPSS 0.7845
EPSS Percentile 99.1%

Details

VulnCheck KEV 2014-12-30
Status published
Products (1)
wpsymposiumpro/wp_symposium 14.11
Published Jan 13, 2015
Tracked Since Feb 18, 2026