cbcvebase.
CVE-2015-4455
published 2017-05-23

CVE-2015-4455: Unrestricted file upload vulnerability in includes/upload.php in the Aviary Image Editor Add-on For Gravity Forms plugin 3.0 beta for WordPress allows remote…

PriorityP187critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
41.48%
98.5th percentile
Unrestricted file upload vulnerability in includes/upload.php in the Aviary Image Editor Add-on For Gravity Forms plugin 3.0 beta for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in wp-content/uploads/gform_aviary.

Affected

1 ranges
VendorProductVersion rangeFixed in
aviary_image_editor_add-on_for_gravity_forms_projectaviary_image_editor_add-on_for_gravity_forms<= 3.0

Detection & IOCsextracted from sources · hover to see the quote

pathincludes/upload.php
pathwp-content/uploads/gform_aviary
url/?gf_page=upload
filename{{filename}}.phtml
  • Monitor POST requests to /?gf_page=upload endpoint with multipart/form-data containing executable file extensions (e.g., .php, .phtml) — no authentication is required by the vulnerable upload handler.
  • Detect multipart POST requests to /?gf_page=upload where the 'name' field contains a double extension or executable extension (e.g., .phtml, .php) while the 'file' filename field uses a benign extension (e.g., .jpg) — a common bypass pattern used in exploitation.
  • The gform_unique_id POST parameter is used for path traversal (value: ../../../); detect requests where this parameter contains directory traversal sequences.
  • ·The upload endpoint is entirely unauthenticated — there is no WordPress nonce, capability check, or session validation before files are accepted and moved to the upload directory.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.