CVE-2015-9479
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files to WordPress sites using the ACF-Frontend-Display plugin. Attackers can upload malicious PHP files and execute code remotely, potentially taking full control of affected websites. Any WordPress site running vulnerable versions of this plugin is affected.
💻 Affected Systems
- ACF-Frontend-Display WordPress Plugin
📦 What is this software?
Acf Fronted Display by Advancedcustomfields
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, defacement, malware distribution, and use as a pivot point for attacking internal networks.
Likely Case
Website defacement, backdoor installation, credential theft, and unauthorized access to sensitive data.
If Mitigated
Limited impact with proper file upload restrictions, web application firewalls, and file system permissions in place.
🎯 Exploit Status
Simple HTTP POST request to upload arbitrary files. Exploit code is publicly available and easy to use.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2015-07-03
Vendor Advisory: https://wordpress.org/plugins/acf-frontend-display/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find ACF-Frontend-Display plugin. 4. Click 'Update Now' if available. 5. If no update available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Block vulnerable endpoint
allAdd web server rule to block access to the vulnerable PHP file
# For Apache .htaccess:
RewriteEngine On
RewriteRule ^js/blueimp-jQuery-File-Upload-d45deb1/server/php/index\.php$ - [F,L]
# For Nginx:
location ~ ^/js/blueimp-jQuery-File-Upload-d45deb1/server/php/index\.php$ {
deny all;
return 403;
}
Restrict file uploads
allConfigure web application firewall to block file uploads to suspicious paths
🧯 If You Can't Patch
- Immediately deactivate and remove the ACF-Frontend-Display plugin from all WordPress installations
- Implement strict file upload validation and monitoring for any remaining upload functionality
🔍 How to Verify
Check if Vulnerable:
Check if the file exists: /wp-content/plugins/acf-frontend-display/js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.phpCheck Version:
Check WordPress admin panel → Plugins → ACF-Frontend-Display version, or examine /wp-content/plugins/acf-frontend-display/acf-frontend-display.php headerVerify Fix Applied:
Verify plugin version is newer than 2015-07-03 or the vulnerable file path no longer exists📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php with action=upload parameter
- File creation in upload directories with .php extensions from unexpected sources
Network Indicators:
- Unusual file upload traffic to WordPress sites, especially to non-standard upload paths
SIEM Query:
source="web_server" AND (uri_path="/js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php" OR uri_path CONTAINS "blueimp-jQuery-File-Upload") AND method="POST"