Login Sign Up

CVE-2015-7806

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on WordPress sites using the Form Manager plugin. Attackers can exploit eval injection in the ajax.php file to run malicious commands. All WordPress sites running vulnerable versions of the Form Manager plugin are affected.

💻 Affected Systems

Products:
  • WordPress Form Manager Plugin
Versions: All versions before 1.7.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with Form Manager plugin enabled.

📦 What is this software?

Form Manager by Form Manager Project

View all CVEs affecting Form Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to install malware, steal data, deface websites, or use the server for further attacks.

🟠

Likely Case

Remote code execution leading to website defacement, data theft, or installation of backdoors for persistent access.

🟢

If Mitigated

Limited impact if proper web application firewalls and input validation are in place, though risk remains high due to eval injection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward via crafted HTTP requests to ajax.php.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.3

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/1264145

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Form Manager plugin. 4. Click 'Update Now' to version 1.7.3 or later. 5. Verify update completed successfully.

🔧 Temporary Workarounds

Disable Form Manager Plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

wp plugin deactivate form-manager

Restrict Access to ajax.php

all

Block direct access to the vulnerable file using web server configuration.

# Apache: <Files "ajax.php"> Require all denied </Files>
# Nginx: location ~* ajax\.php { deny all; }

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block eval injection attempts
  • Isolate affected WordPress instance from critical network segments

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Form Manager version. If version is below 1.7.3, system is vulnerable.

Check Version:

wp plugin get form-manager --field=version

Verify Fix Applied:

Confirm Form Manager plugin version is 1.7.3 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /wp-content/plugins/form-manager/ajax.php
  • PHP eval() errors in web server logs
  • Suspicious command execution patterns

Network Indicators:

  • HTTP requests containing eval() or system() calls targeting ajax.php
  • Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND (url="*ajax.php*" AND (method="POST" OR body="*eval*"))

📊 Metadata

CVE ID: CVE-2015-7806
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: October 17, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-7806, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)