cbcvebase.
CVE-2015-10137
published 2025-07-22

CVE-2015-10137: The Website Contact Form With File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.26%
86.8th percentile
The Website Contact Form With File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_file()' function in versions up to, and including, 1.3.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

Affected

2 ranges
VendorProductVersion rangeFixed in
n-mediawebsite_contact_form_with_file_upload<= 1.3.4
najeebmediawebsite_contact_form_with_file_upload<= 1.3.4

Detection & IOCsextracted from sources · hover to see the quote

versionWebsite Contact Form With File Upload <= 1.3.4
  • Monitor for unauthenticated file upload requests targeting the 'upload_file()' function in the N-Media Website Contact Form WordPress plugin, particularly uploads of PHP or other executable file types.
  • A Metasploit module exists for this vulnerability targeting WordPress N-Media Website Contact Form plugin version 1.3.4; watch for exploit framework signatures in HTTP traffic against WordPress contact form endpoints.
  • ·The vulnerability is exploitable by unauthenticated users, meaning no login or privilege is required to trigger the file upload.
  • ·The root cause is missing file type validation in the upload_file() function; detection should focus on unrestricted file type uploads rather than authentication bypass.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.