CVE-2016-15042

CRITICAL EXPLOITED NUCLEI LAB

WordPress <4.0, WordPress <1.1 - Unauthenticated RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2016-15042 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including ImBIOS, Aditya43621. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a Dockerized lab environment to demonstrate CVE-2016-15042, an unauthenticated file upload vulnerability in WordPress plugins Frontend File Manager (v3.7) and N-Media Post Front-end Form (v1.0). It includes automated setup scripts and Nuclei templates for validation.

Description

The Frontend File Manager (versions < 4.0), N-Media Post Front-end Form (versions < 1.1) plugins for WordPress are vulnerable to arbitrary file uploads due to missing file type validation via the `nm_filemanager_upload_file` and `nm_postfront_upload_file` AJAX actions. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

Exploits (2)

nomisec WORKING POC 1 stars
by ImBIOS · poc
https://github.com/ImBIOS/lab-cve-2016-15042

This repository provides a Dockerized lab environment to demonstrate CVE-2016-15042, an unauthenticated file upload vulnerability in WordPress plugins Frontend File Manager (v3.7) and N-Media Post Front-end Form (v1.0). It includes automated setup scripts and Nuclei templates for validation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress plugins: nmedia-user-file-uploader (<4.0) and wp-post-frontend (<1.1)
No auth needed
Prerequisites: Docker · Docker Compose · curl · Nuclei (optional)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS
by Aditya43621 · poc
https://github.com/Aditya43621/lab-cve-2016-15042

The repository lacks functional exploit code for CVE-2016-15042 and instead contains a Node.js application with social media download utilities. The README is filled with broken image links and no technical details about the vulnerability.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

WordPress Frontend File Manager < 4.0 & N-Media Post Frontend < 1.1 - Arbitrary File Upload
CRITICALVERIFIEDby jsnv-dev

References (6)

Core 6

Scores

CVSS v3 9.8
EPSS 0.7583
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull wordpress:php7.4-apache
docker pull wordpress:cli-php7.4

Details

VulnCheck KEV 2024-10-15
CWE
CWE-434
Status published
Products (4)
najeebmedia/frontend_file_manager < 4.0
najeebmedia/post_front-end_form < 1.1
nmedia/Frontend File Manager Plugin < 4.0
nmedia/N-Media Post Front-end Form < 1.0
Published Oct 16, 2024
Tracked Since Feb 18, 2026