CVE-2015-10138
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-19

Last updated on: 2025-12-16

Assigner: Wordfence

Description
The Work The Flow File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jQuery-File-Upload-9.5.0 server and test files in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-19
Last Modified
2025-12-16
Generated
2026-05-06
AI Q&A
2025-07-19
EPSS Evaluated
2026-05-05
NVD
CVE-2015-10138
EUVD
EUVD-2015-9397
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lynton_reed work_the_flow_file_upload to 2.5.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability in the WordPress plugin 'Work The Flow File Upload' (up to version 2.5.2) is due to missing file type validation in the jQuery-File-Upload component. This flaw allows unauthenticated attackers to upload arbitrary files, including malicious ones like web shells, to the affected server. Because the plugin does not properly sanitize or restrict uploaded files, attackers can execute remote code on the server by uploading and running these files. [3, 4, 5]


How can this vulnerability impact me? :

This vulnerability can have severe impacts including unauthorized remote code execution on the affected server. Attackers can upload malicious files such as backdoors or web shells, which can lead to unauthorized access, privilege escalation, data theft, server compromise, and potentially full control over the webserver and its data. [3, 4, 5]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the vulnerable file upload endpoint is accessible and allows arbitrary file uploads without authentication. A common detection method is to attempt a POST request to the endpoint `/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php` with the parameter `action=upload` and a test file. For example, using curl: curl -F "action=upload" -F "files[][email protected]" http://[VICTIM]/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php If the file uploads successfully and is accessible under `/server/php/files/`, the system is vulnerable. Monitoring web server logs for unexpected POST requests to this path or the presence of suspicious uploaded files can also help detect exploitation attempts. [5, 4]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to update the Work The Flow File Upload WordPress plugin to version 2.5.3 or later, where the vulnerability has been patched by removing the vulnerable server and test files. Until the update can be applied, restrict access to the vulnerable upload endpoint by disabling or removing the directory `/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server` and its contents, or by applying web server rules to block POST requests to this path. Additionally, monitor for any suspicious uploaded files and remove them to prevent remote code execution. [1, 3, 4, 5]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart