CVE-2015-10135 – The WPshop 2 E-Commerce plugin for WordPress ve... (How to Fix)

Q: What is the severity of CVE-2015-10135?

CVE-2015-10135 has a CVSS score of 9.8 (CRITICAL). The WPshop 2 E-Commerce plugin for WordPress versions before 1.3.9.6 allows unauthenticated attackers to upload arbitrary files due to missing file type validation. This can lead to remote code execution on affected WordPress sites. Any WordPress site using vulnerable versions of this plugin is at risk.

📋 TL;DR

The WPshop 2 E-Commerce plugin for WordPress versions before 1.3.9.6 allows unauthenticated attackers to upload arbitrary files due to missing file type validation. This can lead to remote code execution on affected WordPress sites. Any WordPress site using vulnerable versions of this plugin is at risk.

💻 Affected Systems

Products:

WPshop 2 - E-Commerce WordPress plugin

Versions: All versions before 1.3.9.6

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the plugin to be installed and activated. No special configuration needed for exploitation.

📦 What is this software?

Wpshop 2 by Eoxia

View all CVEs affecting Wpshop 2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full server control through remote code execution, leading to data theft, site defacement, malware distribution, or ransomware deployment.

🟠

Likely Case

Attackers upload web shells to execute arbitrary commands, steal data, install backdoors, or pivot to other systems.

🟢

If Mitigated

File uploads are blocked or validated, preventing malicious file execution while maintaining plugin functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Metasploit module available. Exploitation requires only HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.9.6

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/1103406

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find WPshop 2 - E-Commerce. 4. Click 'Update Now' to version 1.3.9.6 or later. 5. Verify update completed successfully.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the WPshop plugin until patched

wp plugin deactivate wpshop

Web server file upload restriction

linux

Block file uploads to the vulnerable endpoint via web server configuration

# Apache: <Location /wp-content/plugins/wpshop/ajax.php>\n    Deny from all\n</Location>
# Nginx: location ~* /wp-content/plugins/wpshop/ajax.php { return 403; }

🧯 If You Can't Patch

Immediately disable or remove the WPshop plugin from production systems
Implement web application firewall rules to block requests to /wp-content/plugins/wpshop/ajax.php

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > WPshop 2 - E-Commerce version number. If version is below 1.3.9.6, system is vulnerable.

Check Version:

wp plugin list --name=wpshop --field=version

Verify Fix Applied:

Confirm plugin version is 1.3.9.6 or higher in WordPress admin panel. Test file upload functionality with non-image files to ensure they are rejected.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /wp-content/plugins/wpshop/ajax.php with file uploads
Files with suspicious extensions (.php, .phtml, .jsp) uploaded to wp-content/uploads/wpshop/
Unusual process execution from web server user

Network Indicators:

POST requests to ajax.php endpoint with file uploads from unexpected sources
Subsequent connections to uploaded files with command-like parameters

SIEM Query:

source="web_server_logs" AND uri="/wp-content/plugins/wpshop/ajax.php" AND method="POST" AND size>100000

📊 Metadata

CVE ID: CVE-2015-10135

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

EPSS Score: 61.67% exploit probability (98.3th percentile)

Published: July 19, 2025

Last Updated: December 16, 2025

🔗 References

https://g0blin.co.uk/g0blin-00036/ Exploit,Third Party Advisory
https://github.com/espreto/wpsploit/blob/master/modules/exploits/unix/webapp/wp_wpshop_ecommerce_file_upload.rb Product
https://plugins.trac.wordpress.org/changeset/1103406 Patch
https://wordpress.org/plugins/wpshop/#developers Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/32e8224d-a653-48d7-a3f4-338fc0c1dc77?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-10135, you might also want to check these: