CVE-2015-9499

CRITICAL EXPLOITED NUCLEI

Showbiz Pro < 1.7.1 - Unauthenticated PHP File Upload via ZIP Archive

Title source: llm

Exploitation Summary

CVE-2015-9499 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Simo Ben Youssef. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets an authentication bypass vulnerability in Slider Revolution and Showbiz Pro WordPress plugins, allowing unauthenticated attackers to upload a malicious PHP shell via the update_plugin function. The PoC demonstrates the upload of a shell (cmd.php) by abusing the revslider_ajax_action or showbiz_ajax_action endpoints.

Description

The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Simo Ben Youssef · perlwebappsphp

https://www.exploit-db.com/exploits/35385

View Code ZIP pw:eip

This exploit targets an authentication bypass vulnerability in Slider Revolution and Showbiz Pro WordPress plugins, allowing unauthenticated attackers to upload a malicious PHP shell via the update_plugin function. The PoC demonstrates the upload of a shell (cmd.php) by abusing the revslider_ajax_action or showbiz_ajax_action endpoints.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Slider Revolution (<= 3.0.95) / Showbiz Pro (<= 1.7.1)

No auth needed

Prerequisites: Target must have vulnerable plugin installed · Perl with LWP::UserAgent module · revslider.zip or showbiz.zip containing cmd.php

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress ShowBiz Pro <= 1.7.1 - Authenticated Arbitrary File Upload to RCE

CRITICALVERIFIEDby iamnoooob,pdresearch

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_misc

https://wpvulndb.com/vulnerabilities/7955

Exploit, Third Party Advisory x_refsource_misc

https://github.com/espreto/wpsploit/blob/master/modules/exploits/unix/webapp/wp_showbiz_file_upload.rb

View Exploit ZIP pw:eip

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/35385

Scores

CVSS v3 9.8

EPSS 0.6789

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2014-11-25

CWE

CWE-434

Status published

Products (1)

themepunch/showbiz_pro < 1.7.1

Published Oct 22, 2019

Tracked Since Feb 18, 2026