cbcvebase.
CVE-2014-5460
published 2014-09-11

CVE-2014-5460: Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute…

PriorityP264medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
70.89%
99.3th percentile
Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute arbitrary code by uploading a PHP file, then accessing it via a direct request to the file in wp-content/uploads/slideshow-gallery/.

Affected

7 ranges
VendorProductVersion rangeFixed in
tribulanttibulant_slideshow_gallery<= 1.4.6
tribulanttibulant_slideshow_gallery
tribulanttibulant_slideshow_gallery
tribulanttibulant_slideshow_gallery
tribulanttibulant_slideshow_gallery
tribulanttibulant_slideshow_gallery
tribulanttibulant_slideshow_gallery

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin.php?page=slideshow-slides&method=save
path/wp-content/uploads/slideshow-gallery/
filenamebackdoor.php
url/wp-admin/admin.php?page=slideshow-slides&Galleryupdated=true&Gallerymessage=Slide+has+been+saved
commandweevely http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php whitexploit
  • Detect POST requests to the slideshow plugin save endpoint with a multipart upload containing a PHP file — the plugin does not restrict file types unlike the WordPress API.
  • Alert on any PHP file appearing under the path wp-content/uploads/slideshow-gallery/ — this directory is the fixed drop location for uploaded webshells.
  • Flag multipart POST requests to admin.php?page=slideshow-slides&method=save where the uploaded filename has a .php extension in the Content-Disposition header.
  • The exploit uses a distinctive multipart boundary string; detect it in HTTP request bodies as a signature of the Python PoC tool.
  • Monitor for successful upload confirmation response containing the Galleryupdated=true parameter, indicating a slide (and potentially a shell) was saved.
  • ·Exploitation requires the attacker to be authenticated; any registered WordPress role (Administrator, Editor, Author, Contributor, Subscriber) is sufficient — not just admins.
  • ·The vulnerability is fixed in Slideshow Gallery version 1.4.7; detections targeting the upload endpoint are only relevant on sites running version 1.4.6 or earlier.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.