CVE-2015-1172

Holding Pattern <0.6 - RCE

Title source: llm

Description

Unrestricted file upload vulnerability in admin/upload-file.php in the Holding Pattern theme (aka holding_pattern) 0.6 and earlier for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in an unspecified directory.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubywebappslinux

https://www.exploit-db.com/exploits/41698

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Alexander Borg, rastating · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_holding_pattern_file_upload.rb

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/130282/WordPress-Holding-Pattern-0.6-Shell-Upload.html

[Third Party Advisory] https://wpvulndb.com/vulnerabilities/7784

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/72546

Scores

EPSS 0.8115

EPSS Percentile 99.2%

Details

Status published

Products (1)

holding_pattern_project/holding_pattern < 0.6

Published Feb 11, 2015

Tracked Since Feb 18, 2026