CVE-2014-9473
published 2015-01-08CVE-2014-9473: Unrestricted file upload vulnerability in lib_nonajax.php in the CformsII plugin 14.7 and earlier for WordPress allows remote attackers to execute arbitrary…
PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
14.56%
96.2th percentile
Unrestricted file upload vulnerability in lib_nonajax.php in the CformsII plugin 14.7 and earlier for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension via the cf_uploadfile2[] parameter, then accessing the file via a direct request to the file in the default upload directory.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| deliciousdays | cformsii | <= 14.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests containing the multipart field name matching 'cf_uploadfile<N>[]' (e.g., cf_uploadfile1[]) to WordPress pages hosting CformsII, especially when the uploaded filename carries an executable extension (.php, .phtml, etc.). ↗
- →Detect POST requests to WordPress contact-form pages that simultaneously include hidden CformsII fields (cf_working<N>, cf_failure<N>, cf_codeerr<N>, cf_customerr<N>, cf_popup<N>) alongside a file upload field — this matches the exploit's required parameter set. ↗
- →Flag any PHP (or other executable) file written into the CformsII plugin directory (/wp-content/plugins/cforms2/) on disk, as the vulnerability allows the uploaded file to be accessed via a direct request to the default upload directory. ↗
- ·Versions 14.6.3 and above of CformsII changed the upload destination to the standard WordPress upload folder rather than the plugin directory; detection rules targeting /wp-content/plugins/cforms2/ as the upload path may miss exploitation against those versions. ↗
- ·The exploit iterates over multiple form numbers (2–9) and field indices to locate the active CformsII form; detection logic should not be tied to a single fixed form number. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2015-01-08
Published