CVE-2015-10135

WPshop 2 – E-Commerce < 1.3.9.6 - Arbitrary File Upload

CVSS 9.8 CRITICALEPSS 2.8%CWE-434

Vexday Risk Score

43Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.8EPSS 2.8%KEV nãoPoC —Nuclei —Metasploit simPatch —

Lifecycle

09 Mar 2015Metasploit module available

19 Jul 2025Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaxUpload function in versions before 1.3.9.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

eoxia · WPshop 2 – E-Commerce

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://g0blin.co.uk/g0blin-00036/https://github.com/espreto/wpsploit/blob/master/modules/exploits/unix/webapp/wp_wpshop_ecommerce_file_upload.rb https://plugins.trac.wordpress.org/changeset/1103406 https://wordpress.org/plugins/wpshop/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/32e8224d-a653-48d7-a3f4-338fc0c1dc77?source=cve