Arbitrary File Upload Vulnerability in WPshop E-Commerce Plugin by WordPress
CVE-2015-10135

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: WPshop 2 – E-commerce
Vendor: CVE Published:; 19 July 2025

What is CVE-2015-10135?

The WPshop E-Commerce plugin for WordPress suffers from an arbitrary file upload vulnerability due to inadequate file type validation in the ajaxUpload function. This security flaw, present in versions prior to 1.3.9.6, allows unauthenticated attackers to upload arbitrary files to the server. These uploaded files could potentially facilitate remote code execution, exposing the affected WordPress site to severe risks. Site owners are strongly advised to update to the latest version to mitigate this vulnerability.

Affected Version(s)

WPshop 2 – E-Commerce * < 1.3.9.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://g0blin.co.uk/g0blin-00036/

https://github.com/espreto/wpsploit/blob/master/modules/e...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 19, 2025
Vulnerability Reserved
Jul 18, 2025

Credit

James Hooker