{"api_version":"1","generated_at":"2026-04-23T11:22:06+00:00","cve":"CVE-2014-8739","urls":{"html":"https://cve.report/CVE-2014-8739","api":"https://cve.report/api/cve/CVE-2014-8739.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2014-8739","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2014-8739"},"summary":{"title":"CVE-2014-8739","description":"Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2020-02-08 18:15:00","updated_at":"2020-02-12 18:37:00"},"problem_types":["CWE-434"],"metrics":[],"references":[{"url":"https://www.exploit-db.com/exploits/35057/","name":"https://www.exploit-db.com/exploits/35057/","refsource":"MISC","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"Creative Contact Form (Wordpress 0.9.7 and Joomla 2.0.0) - Shell Upload Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://osvdb.org/show/osvdb/113669","name":"http://osvdb.org/show/osvdb/113669","refsource":"MISC","tags":["Broken Link"],"title":"","mime":"","httpstatus":"-1","archivestatus":"403"},{"url":"http://www.openwall.com/lists/oss-security/2014/11/11/5","name":"http://www.openwall.com/lists/oss-security/2014/11/11/5","refsource":"MISC","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: CVE request: Joomla component com_sexycontactform\n and WordPress plugin sexy-contact-form unrestricted file upload","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2014/11/13/3","name":"http://www.openwall.com/lists/oss-security/2014/11/13/3","refsource":"MISC","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: CVE request: Joomla component com_sexycontactform and WordPress plugin sexy-contact-form unrestricted file upload","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://osvdb.org/show/osvdb/113673","name":"http://osvdb.org/show/osvdb/113673","refsource":"MISC","tags":["Broken Link"],"title":"","mime":"","httpstatus":"-1","archivestatus":"0"},{"url":"https://www.exploit-db.com/exploits/36811/","name":"https://www.exploit-db.com/exploits/36811/","refsource":"MISC","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"WordPress Plugin Creative Contact Form - Arbitrary File Upload (Metasploit) - PHP remote Exploit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://wordpress.org/plugins/sexy-contact-form/changelog/","name":"https://wordpress.org/plugins/sexy-contact-form/changelog/","refsource":"MISC","tags":["Third Party Advisory"],"title":"WordPress › Creative Contact Form « WordPress Plugins","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2014/11/11/4","name":"http://www.openwall.com/lists/oss-security/2014/11/11/4","refsource":"MISC","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - CVE request: Joomla component com_sexycontactform and WordPress\n plugin sexy-contact-form unrestricted file upload","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2014-8739","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-8739","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2014","cve_id":"8739","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"creative-solutions","cpe5":"creative_contact_form","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"joomla!","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"8739","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"creative-solutions","cpe5":"creative_contact_form","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"joomla\\!","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"8739","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"creative-solutions","cpe5":"creative_contact_form","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"8739","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"creative-solutions","cpe5":"creative_contact_form","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"joomla\\!","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"8739","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"creative-solutions","cpe5":"creative_contact_form","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"8739","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"jquery_file_upload_project","cpe5":"jquery_file_upload","cpe6":"6.4.4","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"8739","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"jquery_file_upload_project","cpe5":"jquery_file_upload","cpe6":"6.4.4","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2014-8739","STATE":"PUBLIC"},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"references":{"reference_data":[{"refsource":"MISC","name":"https://www.exploit-db.com/exploits/35057/","url":"https://www.exploit-db.com/exploits/35057/"},{"refsource":"MISC","name":"https://www.exploit-db.com/exploits/36811/","url":"https://www.exploit-db.com/exploits/36811/"},{"refsource":"MISC","name":"http://www.openwall.com/lists/oss-security/2014/11/11/4","url":"http://www.openwall.com/lists/oss-security/2014/11/11/4"},{"refsource":"MISC","name":"http://www.openwall.com/lists/oss-security/2014/11/11/5","url":"http://www.openwall.com/lists/oss-security/2014/11/11/5"},{"refsource":"MISC","name":"http://www.openwall.com/lists/oss-security/2014/11/13/3","url":"http://www.openwall.com/lists/oss-security/2014/11/13/3"},{"refsource":"MISC","name":"https://wordpress.org/plugins/sexy-contact-form/changelog/","url":"https://wordpress.org/plugins/sexy-contact-form/changelog/"},{"refsource":"MISC","name":"http://osvdb.org/show/osvdb/113669","url":"http://osvdb.org/show/osvdb/113669"},{"refsource":"MISC","name":"http://osvdb.org/show/osvdb/113673","url":"http://osvdb.org/show/osvdb/113673"}]}},"nvd":{"publishedDate":"2020-02-08 18:15:00","lastModifiedDate":"2020-02-12 18:37:00","problem_types":["CWE-434"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:6.4.4:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:creative-solutions:creative_contact_form:*:*:*:*:*:joomla\\!:*:*","versionEndExcluding":"2.0.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:creative-solutions:creative_contact_form:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"1.0.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2014","CveId":"8739","Ordinal":"75797","Title":"CVE-2014-8739","CVE":"CVE-2014-8739","Year":"2014"},"notes":[{"CveYear":"2014","CveId":"8739","Ordinal":"1","NoteData":"Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014.","Type":"Description","Title":null},{"CveYear":"2014","CveId":"8739","Ordinal":"2","NoteData":"2020-02-08","Type":"Other","Title":"Published"},{"CveYear":"2014","CveId":"8739","Ordinal":"3","NoteData":"2020-02-08","Type":"Other","Title":"Modified"}]}}}