CVE-2012-3574
published 2012-06-16CVE-2012-3574: Unrestricted file upload vulnerability in includes/doajaxfileupload.php in the MM Forms Community plugin 2.2.5 and 2.2.6 for WordPress allows remote attackers…
PriorityP265high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
11.75%
95.5th percentile
Unrestricted file upload vulnerability in includes/doajaxfileupload.php in the MM Forms Community plugin 2.2.5 and 2.2.6 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in upload/temp.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tbelmans | mm_forms_community | — | — |
| tbelmans | mm_forms_community | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:4; metadata:created_at 2012_09_22, cve CVE_2012_3574, signature_severity Major, updated_at 2020_09_01;)
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015727; rev:4; metadata:created_at 2012_09_22, cve CVE_2012_3574, signature_severity Major, updated_at 2020_09_01;)
- →The vulnerable upload endpoint is includes/doajaxfileupload.php — monitor for unauthenticated POST requests to this script containing multipart file uploads with executable extensions (e.g., .php). ↗
- →Webshell execution occurs via direct GET requests to files dropped under /wp-content/plugins/mm-forms-community/upload/temp/ — alert on any GET to this directory path, especially for .php files. ↗
- →Use Google dork 'inurl:/wp-content/plugins/mm-forms-community/' to identify exposed vulnerable WordPress installations for proactive scanning. ↗
- ·The two Snort/Suricata rules (SID 2015726 and 2015727) only detect GET requests to the upload/temp directory (webshell access stage), not the initial file upload POST to doajaxfileupload.php. Additional rules covering the upload phase are needed for full coverage.
- ·Affected versions are strictly 2.2.5 and 2.2.6 of the MM Forms Community WordPress plugin; detections should be scoped accordingly to reduce false positives on patched or unrelated installations. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Access To mm-forms-community upload dir (Outbound)
suricata·2012-09-22
CVE-2012-3574 ET EXPLOIT Access To mm-forms-community upload dir (Outbound)
ET EXPLOIT Access To mm-forms-community upload dir (Outbound)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:4; metadata:created_at 2012_09_22, cve CVE_2012_3574, signature_severity Major, updated_at 2020_09_01;)
Suricata
ET EXPLOIT Access To mm-forms-community upload dir (Inbound)
suricata·2012-09-22
CVE-2012-3574 ET EXPLOIT Access To mm-forms-community upload dir (Inbound)
ET EXPLOIT Access To mm-forms-community upload dir (Inbound)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015727; rev:4; metadata:created_at 2012_09_22, cve CVE_2012_3574, signature_severity Major, updated_at 2020_09_01;)
No writeups or analysis indexed.
http://secunia.com/advisories/49411http://www.exploit-db.com/exploits/18997http://www.opensyscom.fr/Actualites/wordpress-plugins-mm-forms-community-shell-upload-vulnerability.htmlhttp://www.securityfocus.com/bid/53852https://exchange.xforce.ibmcloud.com/vulnerabilities/76133http://secunia.com/advisories/49411http://www.exploit-db.com/exploits/18997http://www.opensyscom.fr/Actualites/wordpress-plugins-mm-forms-community-shell-upload-vulnerability.htmlhttp://www.securityfocus.com/bid/53852https://exchange.xforce.ibmcloud.com/vulnerabilities/76133
2012-06-16
Published