CVE-2015-9272 – This vulnerability allows remote attackers to u... (How to Fix)

Q: What is the severity of CVE-2015-9272?

CVE-2015-9272 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to upload and execute arbitrary PHP code on WordPress sites using the vulnerable VideoWhisper Video Presentation plugin. Attackers can bypass file upload restrictions by naming malicious files with '.phtml' extension, leading to remote code execution. All WordPress installations with version 3.31.17 or earlier of this plugin are affected.

📋 TL;DR

This vulnerability allows remote attackers to upload and execute arbitrary PHP code on WordPress sites using the vulnerable VideoWhisper Video Presentation plugin. Attackers can bypass file upload restrictions by naming malicious files with '.phtml' extension, leading to remote code execution. All WordPress installations with version 3.31.17 or earlier of this plugin are affected.

💻 Affected Systems

Products:

VideoWhisper Video Presentation plugin for WordPress

Versions: 3.31.17 and earlier

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires plugin to be installed and active. The vulnerable file vp/vw_upload.php handles file uploads with insufficient validation.

📦 What is this software?

Video Presentation by Videowhisper

View all CVEs affecting Video Presentation →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to execute arbitrary commands, steal data, install backdoors, deface websites, or pivot to internal networks.

🟠

Likely Case

Website defacement, data theft, malware distribution, or cryptocurrency mining through uploaded malicious scripts.

🟢

If Mitigated

Limited impact with proper file upload restrictions, web application firewalls, and restricted PHP execution in upload directories.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - attackers simply need to upload a .phtml file containing PHP code. Multiple public advisories and proof-of-concepts exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.31.18 or later

Vendor Advisory: http://www.vapidlabs.com/advisory.php?v=117

Restart Required: No

Instructions:

1. Update VideoWhisper Video Presentation plugin to version 3.31.18 or later via WordPress admin panel. 2. Alternatively, remove the plugin entirely if not needed. 3. Clear any cached files after update.

🔧 Temporary Workarounds

Block .phtml file uploads via .htaccess

linux

Prevent execution of .phtml files in upload directories

Add to .htaccess in upload directory: <FilesMatch "\\.phtml$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

Disable PHP execution in upload directories

linux

Prevent any PHP code execution in vulnerable directories

Add to .htaccess: php_flag engine off
Or: AddHandler text/plain .php .php3 .php4 .php5 .phtml

🧯 If You Can't Patch

Immediately disable or remove the VideoWhisper Video Presentation plugin
Implement web application firewall rules to block requests to vp/vw_upload.php and block .phtml file uploads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel for plugin version. If VideoWhisper Video Presentation plugin is installed and version is 3.31.17 or earlier, system is vulnerable.

Check Version:

Check WordPress admin dashboard > Plugins > VideoWhisper Video Presentation, or examine wp-content/plugins/video-presentation/video-presentation.php header for version number.

Verify Fix Applied:

Verify plugin version is 3.31.18 or later in WordPress admin panel. Test that .phtml files cannot be uploaded or executed.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /wp-content/plugins/video-presentation/vp/vw_upload.php
File uploads with .phtml extension
Unusual PHP execution in upload directories

Network Indicators:

POST requests to vulnerable upload endpoint with malicious file uploads
Subsequent requests to uploaded .phtml files

SIEM Query:

source="web_server" AND (uri="/wp-content/plugins/video-presentation/vp/vw_upload.php" OR filename="*.phtml")

📊 Metadata

CVE ID: CVE-2015-9272

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: October 5, 2018

Last Updated: November 21, 2024

🔗 References

http://www.vapidlabs.com/advisory.php?v=117 Exploit,Third Party Advisory
https://www.openwall.com/lists/oss-security/2015/04/01/2 Exploit,Mailing List,Third Party Advisory
http://www.vapidlabs.com/advisory.php?v=117 Exploit,Third Party Advisory
https://www.openwall.com/lists/oss-security/2015/04/01/2 Exploit,Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-9272, you might also want to check these: