CVE-2014-8739
Summary
| CVE | CVE-2014-8739 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-02-08 18:15:00 UTC |
| Updated | 2020-02-12 18:37:00 UTC |
| Description | Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014. |
Risk And Classification
Problem Types: CWE-434
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Creative-solutions | Creative Contact Form | All | All | All | All |
| Application | Creative-solutions | Creative Contact Form | All | All | All | All |
| Application | Creative-solutions | Creative Contact Form | All | All | All | All |
| Application | Creative-solutions | Creative Contact Form | All | All | All | All |
| Application | Creative-solutions | Creative Contact Form | All | All | All | All |
| Application | Jquery File Upload Project | Jquery File Upload | 6.4.4 | All | All | All |
| Application | Jquery File Upload Project | Jquery File Upload | 6.4.4 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Creative Contact Form (Wordpress 0.9.7 and Joomla 2.0.0) - Shell Upload Vulnerability | MISC | www.exploit-db.com | Exploit, Third Party Advisory, VDB Entry |
| osvdb.org/show/osvdb/113669 | MISC | osvdb.org | Broken Link |
| oss-security - Re: CVE request: Joomla component com_sexycontactform and WordPress plugin sexy-contact-form unrestricted file upload | MISC | www.openwall.com | Mailing List, Third Party Advisory |
| oss-security - Re: CVE request: Joomla component com_sexycontactform and WordPress plugin sexy-contact-form unrestricted file upload | MISC | www.openwall.com | Mailing List, Third Party Advisory |
| osvdb.org/show/osvdb/113673 | MISC | osvdb.org | Broken Link |
| WordPress Plugin Creative Contact Form - Arbitrary File Upload (Metasploit) - PHP remote Exploit | MISC | www.exploit-db.com | Exploit, Third Party Advisory, VDB Entry |
| WordPress › Creative Contact Form « WordPress Plugins | MISC | wordpress.org | Third Party Advisory |
| oss-security - CVE request: Joomla component com_sexycontactform and WordPress plugin sexy-contact-form unrestricted file upload | MISC | www.openwall.com | Mailing List, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.