cbcvebase.
CVE-2015-7309
published 2015-09-22

CVE-2015-7309: The theme editor in Bolt before 2.2.5 does not check the file extension when renaming files, which allows remote authenticated users to execute arbitrary code…

PriorityP354medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
38.61%
98.4th percentile
The theme editor in Bolt before 2.2.5 does not check the file extension when renaming files, which allows remote authenticated users to execute arbitrary code by renaming a crafted file and then directly accessing it.

Affected

1 ranges
VendorProductVersion rangeFixed in
boltcmsbolt<= 2.2.0

Detection & IOCsextracted from sources · hover to see the quote

url/bolt/login
url/async/renamefile
url/bolt/files/theme/<foldername>
path/theme/<foldername>/<payload>.php
commandPOST /async/renamefile namespace=theme&parent=<foldername>&oldname=<payload>.png&newname=<payload>.php
  • Monitor POST requests to /async/renamefile with a 'newname' parameter ending in .php — this is the rename step that converts an uploaded image to an executable PHP file.
  • Detect multipart file uploads to /bolt/files/theme/* where the uploaded filename has an image extension (e.g. .png) but content is PHP code.
  • Alert on GET requests to /theme/<foldername>/*.php immediately after a rename operation — this is the webshell execution step.
  • Check for the version banner string 'Bolt 2.2.4: Sophisticated, lightweight & simple CMS' in HTTP responses to identify vulnerable targets.
  • Authenticated POST to /bolt/login with action=login followed immediately by POST to /async/renamefile is a strong behavioral indicator of this exploit chain.
  • ·Exploit requires valid authenticated credentials; the vulnerability is only exploitable by authenticated users with theme editor access.
  • ·The default theme folder targeted by the Metasploit module is 'base-2014'; defenders should check all theme subdirectories under /theme/ for unexpected .php files.
  • ·The module was tested specifically against Bolt 2.2.4; the NVD advisory states all versions before 2.2.5 are affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.