CVE-2015-9271
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary PHP code on WordPress sites using the vulnerable VideoWhisper plugin. Attackers can upload malicious .phtml files that bypass the plugin's file extension validation, leading to remote code execution. All WordPress sites running the affected plugin version are vulnerable.
💻 Affected Systems
- VideoWhisper Video Conference Integration Plugin for WordPress
📦 What is this software?
Video Conference by Videowhisper
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary commands, install backdoors, steal data, deface websites, or pivot to internal networks.
Likely Case
Website defacement, data theft, malware distribution, or use as part of a botnet for further attacks.
If Mitigated
Attack blocked at web application firewall level or file upload prevented through server configuration.
🎯 Exploit Status
Exploitation is straightforward - attackers simply need to upload a .phtml file containing PHP code. The vulnerability was publicly disclosed with proof-of-concept examples.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.91.9 or later
Vendor Advisory: http://www.vapidlabs.com/advisory.php?v=116
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'VideoWhisper Video Conference Integration'
4. Click 'Update Now' if update available
5. If no update available, deactivate and remove the plugin
6. Install latest version from official WordPress repository
🔧 Temporary Workarounds
Block .phtml file execution
allConfigure web server to not execute .phtml files as PHP
For Apache: Add 'RemoveHandler .phtml .php .php3 .php4 .php5 .php7' to .htaccess
For Nginx: Add 'location ~ \.phtml$ { deny all; }' to nginx.conf
Restrict upload directory
allPrevent PHP execution in the upload directory
For Apache: Add 'php_flag engine off' to .htaccess in upload directory
For Nginx: Add 'location ~* /vc/uploads/.*\.php$ { deny all; }' to nginx.conf
🧯 If You Can't Patch
- Immediately disable or remove the VideoWhisper plugin from all WordPress installations
- Implement web application firewall rules to block requests to vc/vw_upload.php and block .phtml file uploads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → VideoWhisper Video Conference Integration version. If version is 4.91.8 or earlier, system is vulnerable.Check Version:
wp plugin list --name='VideoWhisper Video Conference Integration' --field=versionVerify Fix Applied:
Verify plugin version is 4.91.9 or later. Test file upload functionality with .phtml extension - it should be rejected.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-content/plugins/videowhisper-video-conference-integration/vc/vw_upload.php
- File uploads with .phtml extension
- Unusual PHP process execution from upload directory
Network Indicators:
- POST requests to vw_upload.php endpoint with file uploads
- Traffic patterns showing file uploads followed by immediate execution attempts
SIEM Query:
source="web_logs" AND (uri_path="/vc/vw_upload.php" OR file_extension=".phtml")