CVE-2014-8739

CRITICAL EXPLOITED IN THE WILD NUCLEI

Creative Contact Form < 1.0.0 - Unauthenticated Arbitrary File Upload via jQuery File Upload Plugin

Title source: manual
STIX 2.1

Exploitation Summary

CVE-2014-8739 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 3 public exploits from researchers including Metasploit, Claudio Viviani, Gianni Angelozzi, including a Metasploit module exploits/unix/webapp/wp_creativecontactform_file_upload. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits an arbitrary PHP file upload vulnerability in WordPress Creative Contact Form 0.9.7, allowing remote code execution by uploading a malicious PHP payload via a multipart form request.

Description

Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/36811

This Metasploit module exploits an arbitrary PHP file upload vulnerability in WordPress Creative Contact Form 0.9.7, allowing remote code execution by uploading a malicious PHP payload via a multipart form request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Creative Contact Form 0.9.7
No auth needed
Prerequisites: WordPress site with Creative Contact Form 0.9.7 installed · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Claudio Viviani · pythonwebappsphp
https://www.exploit-db.com/exploits/35057

This exploit targets a file upload vulnerability in WordPress (Sexy Contact Form plugin <= 0.9.7) and Joomla (Creative Contact Form extension <= 2.0.0), allowing arbitrary file uploads leading to remote code execution. It crafts a multipart form request to bypass restrictions and uploads a malicious file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress (Sexy Contact Form plugin <= 0.9.7), Joomla (Creative Contact Form extension <= 2.0.0)
No auth needed
Prerequisites: Target URL with vulnerable plugin/extension · Accessible upload endpoint · Malicious file to upload
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Gianni Angelozzi · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_creativecontactform_file_upload.rb

This Metasploit module exploits an arbitrary file upload vulnerability in WordPress Creative Contact Form 0.9.7, allowing remote code execution via PHP file upload. It uploads a malicious PHP payload and triggers it to achieve RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Creative Contact Form 0.9.7
No auth needed
Prerequisites: Target running WordPress with Creative Contact Form 0.9.7 · Network access to the WordPress site
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress Sexy Contact Form (<= 0.9.7) - Arbitrary File Upload
CRITICALVERIFIEDby melmathari

References (8)

Core 8
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/35057/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/36811/
Mailing List, Third Party Advisory x_refsource_misc
http://www.openwall.com/lists/oss-security/2014/11/11/4
Mailing List, Third Party Advisory x_refsource_misc
http://www.openwall.com/lists/oss-security/2014/11/11/5
Mailing List, Third Party Advisory x_refsource_misc
http://www.openwall.com/lists/oss-security/2014/11/13/3
Third Party Advisory x_refsource_misc
https://wordpress.org/plugins/sexy-contact-form/changelog/
Broken Link x_refsource_misc
http://osvdb.org/show/osvdb/113669
Broken Link x_refsource_misc
http://osvdb.org/show/osvdb/113673

Scores

CVSS v3 9.8
EPSS 0.9155
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2020-02-08
InTheWild.io 2020-02-12
CWE
CWE-434
Status published
Products (4)
blueimp/jquery-file-upload Packagist
creative-solutions/creative_contact_form < 1.0.0
creative-solutions/creative_contact_form < 2.0.1
jquery_file_upload_project/jquery_file_upload 6.4.4
Published Feb 08, 2020
Tracked Since Feb 18, 2026