CVE-2015-8351

CRITICAL EXPLOITED

Gwolle Guestbook < 1.5.3 - Authenticated Remote File Inclusion via abspath Parameter

Title source: llm

Exploitation Summary

CVE-2015-8351 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including High-Tech Bridge SA, G4sp4rCS, G01d3nW01f.

AI-analyzed exploit summary This advisory describes a Remote File Inclusion (RFI) vulnerability in the Gwolle Guestbook WordPress Plugin (CVE-2015-8351). The vulnerability allows unauthenticated attackers to include remote PHP files via the 'abspath' parameter, leading to arbitrary code execution.

Description

PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captcha/ajaxresponse.php. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences regardless of whether allow_url_include is enabled.

Exploits (4)

exploitdb WRITEUP

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/38861

View Code ZIP pw:eip

This advisory describes a Remote File Inclusion (RFI) vulnerability in the Gwolle Guestbook WordPress Plugin (CVE-2015-8351). The vulnerability allows unauthenticated attackers to include remote PHP files via the 'abspath' parameter, leading to arbitrary code execution.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Gwolle Guestbook WordPress Plugin 1.5.3 and prior

No auth needed

Prerequisites: allow_url_include set to 1 for RFI, or local file inclusion otherwise

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by G4sp4rCS · infoleak

https://github.com/G4sp4rCS/exploit-CVE-2015-8351

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2015-8351, a Remote File Inclusion (RFI) vulnerability in the Gwolle Guestbook WordPress Plugin. The exploit crafts a malicious HTTP GET request to include a remote 'wp-load.php' file from an attacker-controlled server, leading to arbitrary code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Gwolle Guestbook WordPress Plugin (versions affected by CVE-2015-8351)

No auth needed

Prerequisites: Attacker-controlled server hosting a malicious 'wp-load.php' file · Netcat listener on attacker machine for reverse shell

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by G01d3nW01f · remote

https://github.com/G01d3nW01f/CVE-2015-8351

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2015-8351, targeting a Remote File Inclusion (RFI) vulnerability in the WordPress plugin 'gwolle-gb' version 1.5.3. The exploit generates a reverse shell payload and serves it via a local HTTP server, then crafts a malicious request to the vulnerable endpoint to trigger the RFI and execute the payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress plugin gwolle-gb 1.5.3

No auth needed

Prerequisites: Target must have the vulnerable plugin installed · Attacker must have network access to the target · Target must be able to make outbound connections to the attacker's server

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by Philip-Otter · remote

https://github.com/Philip-Otter/CVE-2015-8351_Otter_Remix

View Code ZIP pw:eip

This exploit leverages a Remote File Inclusion (RFI) vulnerability in the Gwolle Guestbook WordPress plugin (CVE-2015-8351) to achieve remote code execution (RCE). It sets up a malicious PHP payload on an attacker-controlled server and tricks the vulnerable endpoint into executing it via a crafted GET request.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress Gwolle Guestbook plugin (versions prior to fix)

No auth needed

Prerequisites: Attacker-controlled server to host malicious payload · Target WordPress site with vulnerable Gwolle Guestbook plugin

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory x_refsource_confirm

https://wordpress.org/plugins/gwolle-gb/changelog/

Third Party Advisory x_refsource_misc

https://www.htbridge.com/advisory/HTB23275

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/38861/

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/537020/100/0/threaded

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/134599/WordPress-Gwolle-Guestbook-1.5.3-Remote-File-Inclusion.html

Scores

CVSS v3 9.0

EPSS 0.6945

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

VulnCheck KEV 2024-01-22

CWE

CWE-94

Status published

Products (1)

gwolle_guestbook_project/gwolle_guestbook < 1.5.3

Published Sep 11, 2017

Tracked Since Feb 18, 2026