CVE-2015-10137

CRITICAL

Website Contact Form With File Upload <1.3.4 - RCE

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2015-10137. PoCs published by Kai-One001, Claudio Viviani, including Metasploit module exploits/unix/webapp/wp_nmediawebsite_file_upload.

AI-analyzed exploit summary This is a functional exploit for CVE-2015-10137, targeting a file upload vulnerability in WordPress N-Media Website Contact Form with File Uploader 1.3.4. It uploads a PHP webshell and provides an interactive shell for remote command execution.

Description

The Website Contact Form With File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_file()' function in versions up to, and including, 1.3.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

Exploits (2)

nomisec WORKING POC

by Kai-One001 · poc

https://github.com/Kai-One001/-CVE-2015-10137-WordPress-N-Media-Website-Contact-Form-with-File-Upload-1.3.4

View Code ZIP pw:eip

This is a functional exploit for CVE-2015-10137, targeting a file upload vulnerability in WordPress N-Media Website Contact Form with File Uploader 1.3.4. It uploads a PHP webshell and provides an interactive shell for remote command execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress N-Media Website Contact Form with File Uploader 1.3.4

No auth needed

Prerequisites: Target must have the vulnerable plugin installed and activated · Upload directory must be web-accessible and PHP execution must be allowed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Claudio Viviani · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_nmediawebsite_file_upload.rb