CVE-2014-8739 – This vulnerability allows remote attackers to u... (How to Fix)

Q: What is the severity of CVE-2014-8739?

CVE-2014-8739 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to upload arbitrary PHP files to web servers using vulnerable versions of the jQuery File Upload Plugin. Attackers can then execute malicious code by accessing the uploaded files, leading to complete system compromise. This affects WordPress and Joomla! installations using specific versions of Creative Contact Form.

📋 TL;DR

This vulnerability allows remote attackers to upload arbitrary PHP files to web servers using vulnerable versions of the jQuery File Upload Plugin. Attackers can then execute malicious code by accessing the uploaded files, leading to complete system compromise. This affects WordPress and Joomla! installations using specific versions of Creative Contact Form.

💻 Affected Systems

Products:

jQuery File Upload Plugin
Creative Contact Form for WordPress
Creative Contact Form for Joomla!

Versions: jQuery File Upload Plugin 6.4.4; Creative Contact Form <1.0.0 for WordPress; Creative Contact Form <2.0.1 for Joomla!

Operating Systems: Any OS running affected web applications

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default configuration of affected plugins.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with remote code execution, data theft, and lateral movement within the network.

🟠

Likely Case

Webshell deployment leading to website defacement, data exfiltration, and backdoor persistence.

🟢

If Mitigated

File uploads blocked or properly validated, preventing malicious file execution.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet without authentication.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploited in the wild since October 2014. Simple file upload with direct access to uploaded PHP files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Creative Contact Form 1.0.0 for WordPress, 2.0.1 for Joomla!; jQuery File Upload Plugin >6.4.4

Vendor Advisory: http://www.openwall.com/lists/oss-security/2014/11/11/4

Restart Required: No

Instructions:

1. Update Creative Contact Form to version 1.0.0+ for WordPress or 2.0.1+ for Joomla!. 2. Update jQuery File Upload Plugin to latest version. 3. Remove any existing malicious PHP files from upload directories.

🔧 Temporary Workarounds

Restrict PHP file uploads via .htaccess

all

Block PHP file execution in upload directories

Add to .htaccess in upload directory: <FilesMatch "\.php$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

Disable vulnerable plugin

all

Temporarily disable Creative Contact Form until patched

WordPress: wp plugin deactivate creative-contact-form
Joomla: Disable plugin via administrator panel

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block PHP file uploads
Regularly monitor and clean upload directories for suspicious PHP files

🔍 How to Verify

Check if Vulnerable:

Check if server/php/UploadHandler.php exists and contains vulnerable file extension validation. Test by attempting to upload a PHP file.

Check Version:

WordPress: wp plugin list | grep creative-contact-form; Joomla: Check extension manager

Verify Fix Applied:

Attempt to upload PHP file - should be rejected. Check plugin versions match patched versions.

📡 Detection & Monitoring

Log Indicators:

PHP file uploads to /files/ directory
Access to .php files in upload directories
Unusual POST requests to upload endpoints

Network Indicators:

HTTP POST requests with PHP file uploads
Subsequent GET requests to uploaded PHP files

SIEM Query:

source="web_logs" AND (uri_path="/files/*.php" OR (method="POST" AND uri_path LIKE "%/upload%" AND user_agent LIKE "%php%"))

📊 Metadata

CVE ID: CVE-2014-8739

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: February 8, 2020

Last Updated: November 21, 2024

🔗 References

http://osvdb.org/show/osvdb/113669 Broken Link
http://osvdb.org/show/osvdb/113673 Broken Link
http://www.openwall.com/lists/oss-security/2014/11/11/4 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2014/11/11/5 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2014/11/13/3 Mailing List,Third Party Advisory
https://wordpress.org/plugins/sexy-contact-form/changelog/ Third Party Advisory
https://www.exploit-db.com/exploits/35057/ Exploit,Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/36811/ Exploit,Third Party Advisory,VDB Entry
http://osvdb.org/show/osvdb/113669 Broken Link
http://osvdb.org/show/osvdb/113673 Broken Link
http://www.openwall.com/lists/oss-security/2014/11/11/4 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2014/11/11/5 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2014/11/13/3 Mailing List,Third Party Advisory
https://wordpress.org/plugins/sexy-contact-form/changelog/ Third Party Advisory
https://www.exploit-db.com/exploits/35057/ Exploit,Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/36811/ Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2014-8739, you might also want to check these: