cbcvebase.
CVE-2014-8739
published 2020-02-08

CVE-2014-8739: Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
91.66%
99.8th percentile
Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014.

Affected

3 ranges
VendorProductVersion rangeFixed in
creative-solutionscreative_contact_form< 1.0.01.0.0
creative-solutionscreative_contact_form< 2.0.12.0.1
jquery_file_upload_projectjquery_file_upload

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php
path/wp-content/plugins/sexy-contact-form/includes/fileupload/files/
path/components/com_creativecontactform/fileupload/index.php
path/components/com_creativecontactform/fileupload/files/
path/wp-content/plugins/sexy-contact-form/includes/fileupload/files/
pathserver/php/UploadHandler.php
bytes
----------lImIt_of_THE_fIle_eW_$
  • Detect POST requests to the WordPress plugin upload endpoint with a PHP file in the multipart filename field (files[])
  • Alert on HTTP 200 responses from the upload endpoint whose body contains both 'files' and 'delete_url', indicating successful PHP shell upload
  • Monitor for direct GET requests to .php files under the plugin's files/ directory, indicating webshell execution after upload
  • Flag multipart upload requests using the distinctive boundary string '----------lImIt_of_THE_fIle_eW_$' as a known exploit tool signature
  • Check plugin readme for version below 1.0.0 on WordPress to confirm vulnerable Creative Contact Form installation
  • ·The vulnerability was actively exploited in the wild in October 2014; patched versions are Creative Contact Form >= 1.0.0 (WordPress) and >= 2.0.1 (Joomla!)
  • ·The upload handler does not restrict PHP file extensions, meaning any .php file submitted via the files[] field is stored and directly executable under the files/ directory

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.