CVE-2015-8351

9CRITICAL

Key Information:

Vendor
Wordpress
Status
Gwolle Guestbook
Vendor
CVE Published:
11 September 2017

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC🟣 EPSS 57%

Summary

PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captcha/ajaxresponse.php. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences regardless of whether allow_url_include is enabled.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

exploit-CVE-2015-8351
Created by igruntplay

CVE-2015-8351
Created by G01d3nW01f

References

https://wordpress.org/plugins/gwolle-gb/changelog/
x_refsource_CONFIRM
https://www.htbridge.com/advisory/HTB23275
x_refsource_MISC
https://www.exploit-db.com/exploits/38861/
exploitx_refsource_EXPLOIT-DB

EPSS Score

57% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.