cbcvebase.
CVE-2014-9473
published 2015-01-08

CVE-2014-9473: Unrestricted file upload vulnerability in lib_nonajax.php in the CformsII plugin 14.7 and earlier for WordPress allows remote attackers to execute arbitrary…

PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
14.56%
96.2th percentile
Unrestricted file upload vulnerability in lib_nonajax.php in the CformsII plugin 14.7 and earlier for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension via the cf_uploadfile2[] parameter, then accessing the file via a direct request to the file in the default upload directory.

Affected

1 ranges
VendorProductVersion rangeFixed in
deliciousdayscformsii<= 14.7

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/cforms2/
path/wp-content/plugins/cforms2/noid-wow.php
filenamewow.php
filenamelib_nonajax.php
  • Monitor POST requests containing the multipart field name matching 'cf_uploadfile<N>[]' (e.g., cf_uploadfile1[]) to WordPress pages hosting CformsII, especially when the uploaded filename carries an executable extension (.php, .phtml, etc.).
  • Detect POST requests to WordPress contact-form pages that simultaneously include hidden CformsII fields (cf_working<N>, cf_failure<N>, cf_codeerr<N>, cf_customerr<N>, cf_popup<N>) alongside a file upload field — this matches the exploit's required parameter set.
  • Flag any PHP (or other executable) file written into the CformsII plugin directory (/wp-content/plugins/cforms2/) on disk, as the vulnerability allows the uploaded file to be accessed via a direct request to the default upload directory.
  • ·Versions 14.6.3 and above of CformsII changed the upload destination to the standard WordPress upload folder rather than the plugin directory; detection rules targeting /wp-content/plugins/cforms2/ as the upload path may miss exploitation against those versions.
  • ·The exploit iterates over multiple form numbers (2–9) and field indices to locate the active CformsII form; detection logic should not be tied to a single fixed form number.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.