CVE-2015-3173
📋 TL;DR
This vulnerability in the Custom Content Type Manager WordPress plugin allows authenticated administrators to execute arbitrary PHP code remotely. It affects WordPress sites using vulnerable versions of this plugin, potentially compromising the entire web server.
💻 Affected Systems
- WordPress Custom Content Type Manager plugin
📦 What is this software?
Custom Content Type Manager by Custom Content Type Manager Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, malware installation, or use as part of a botnet.
Likely Case
Attacker gains full control of the WordPress site and underlying server if administrator credentials are compromised.
If Mitigated
Limited impact if proper access controls and monitoring are in place to detect unauthorized administrator activity.
🎯 Exploit Status
Exploitation requires administrator credentials but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.9.8.6 and later
Vendor Advisory: https://github.com/craftsmancoding/custom-content-type-manager/blob/master/readme.txt
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Custom Content Type Manager
4. Click 'Update Now' if available
5. If not, download version 0.9.8.6+ from WordPress repository
6. Deactivate old plugin
7. Upload and activate new version
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate custom-content-type-manager
Restrict Admin Access
linuxImplement IP whitelisting for WordPress admin area
# Add to .htaccess for Apache:
<Files "wp-login.php">
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
</Files>
🧯 If You Can't Patch
- Remove administrator privileges from all non-essential users
- Implement web application firewall rules to block PHP execution attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Custom Content Type Manager version. If version is below 0.9.8.6, system is vulnerable.Check Version:
wp plugin get custom-content-type-manager --field=versionVerify Fix Applied:
Confirm plugin version is 0.9.8.6 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual administrator login patterns
- POST requests to plugin PHP files with code parameters
- File creation/modification in wp-content/uploads
Network Indicators:
- HTTP requests containing eval() or system() calls in POST data
- Outbound connections from web server to unfamiliar IPs
SIEM Query:
source="wordpress.log" AND ("custom-content-type-manager" OR "CCTM") AND ("eval" OR "system" OR "exec" OR "shell_exec")🔗 References
- https://blog.nettitude.com/uk/custom-content-type-manager-remote-code-execution
- https://github.com/craftsmancoding/custom-content-type-manager/blob/master/readme.txt
- https://wpscan.com/vulnerability/6b3d0736-7f08-4403-95eb-4385cb206f9e
- https://blog.nettitude.com/uk/custom-content-type-manager-remote-code-execution
- https://github.com/craftsmancoding/custom-content-type-manager/blob/master/readme.txt
- https://wpscan.com/vulnerability/6b3d0736-7f08-4403-95eb-4385cb206f9e
