CVE-2015-2825

Simple Ads Manager < 2.5.94 - Unauthenticated Arbitrary File Upload via sam-ajax-admin.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-2825. PoCs published by ITAS Team.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file upload vulnerability in the WordPress plugin Simple Ads Manager. The vulnerable endpoint allows unauthenticated file uploads via a multipart form request, enabling remote code execution by uploading a malicious PHP file.

Description

Unrestricted file upload vulnerability in sam-ajax-admin.php in the Simple Ads Manager plugin before 2.5.96 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the directory specified by the path parameter.

Exploits (1)

exploitdb WORKING POC
by ITAS Team · textwebappsphp
https://www.exploit-db.com/exploits/36614

This exploit demonstrates an arbitrary file upload vulnerability in the WordPress plugin Simple Ads Manager. The vulnerable endpoint allows unauthenticated file uploads via a multipart form request, enabling remote code execution by uploading a malicious PHP file.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Simple Ads Manager plugin version 2.5.94
No auth needed
Prerequisites: Access to the target WordPress site with the vulnerable plugin installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

EPSS 0.1445
EPSS Percentile 96.2%

Details

Status published
Products (1)
simple_ads_manager_project/simple_ads_manager < 2.5.94
Published Apr 21, 2015
Tracked Since Feb 18, 2026