CVE-2015-10135
published 2025-07-19CVE-2015-10135: The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaxUpload function in…
PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.76%
84.5th percentile
The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaxUpload function in versions before 1.3.9.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eoxia | wpshop_2 | < 1.3.9.6 | 1.3.9.6 |
| eoxia | wpshop_2_e-commerce | < 1.3.9.6 | 1.3.9.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests to the ajaxUpload function endpoint in the WPshop plugin, particularly those uploading PHP or executable file types. ↗
- →Detect exploitation attempts targeting WordPress WPshop eCommerce plugin versions 1.3.3.3 through 1.3.9.5, which allow arbitrary PHP file upload and remote code execution. ↗
- ·The Metasploit module was tested on a specific environment; exploitation behavior may vary outside this configuration. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://g0blin.co.uk/g0blin-00036/https://github.com/espreto/wpsploit/blob/master/modules/exploits/unix/webapp/wp_wpshop_ecommerce_file_upload.rbhttps://plugins.trac.wordpress.org/changeset/1103406https://wordpress.org/plugins/wpshop/#developershttps://www.wordfence.com/threat-intel/vulnerabilities/id/32e8224d-a653-48d7-a3f4-338fc0c1dc77?source=cve
2025-07-19
Published