CVE-2015-9499 – The Showbiz Pro WordPress plugin through versio... (How to Fix)

Q: What is the severity of CVE-2015-9499?

CVE-2015-9499 has a CVSS score of 9.8 (CRITICAL). The Showbiz Pro WordPress plugin through version 1.7.1 contains an unrestricted file upload vulnerability that allows attackers to upload PHP files via ZIP archives, leading to remote code execution. This affects any WordPress site using the vulnerable plugin version. Attackers can gain complete control of affected websites.

📋 TL;DR

The Showbiz Pro WordPress plugin through version 1.7.1 contains an unrestricted file upload vulnerability that allows attackers to upload PHP files via ZIP archives, leading to remote code execution. This affects any WordPress site using the vulnerable plugin version. Attackers can gain complete control of affected websites.

💻 Affected Systems

Products:

Showbiz Pro WordPress Plugin

Versions: 1.7.1 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Showbiz Pro plugin enabled.

📦 What is this software?

Showbiz Pro by Themepunch

View all CVEs affecting Showbiz Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing arbitrary code execution, data theft, website defacement, and lateral movement to other systems.

🟠

Likely Case

Website takeover, malware installation, credential theft, and backdoor persistence.

🟢

If Mitigated

Limited impact with proper file upload restrictions and web application firewalls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts available, trivial to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.2 or later

Vendor Advisory: https://wpvulndb.com/vulnerabilities/7955

Restart Required: No

Instructions:

1. Update Showbiz Pro plugin to version 1.7.2 or later via WordPress admin panel. 2. Verify update completed successfully. 3. Remove any previously uploaded suspicious files.

🔧 Temporary Workarounds

Disable plugin

all

Temporarily disable Showbiz Pro plugin until patched

wp plugin deactivate showbiz-pro

Restrict file uploads

all

Block .php file uploads via web server configuration

<FilesMatch "\.php$">
    Deny from all
</FilesMatch>

🧯 If You Can't Patch

Remove Showbiz Pro plugin completely and use alternative
Implement strict file upload validation and monitoring

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel for Showbiz Pro plugin version 1.7.1 or earlier

Check Version:

wp plugin list --name=showbiz-pro --field=version

Verify Fix Applied:

Confirm plugin version is 1.7.2 or later in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to wp-content/plugins/showbiz-pro/
POST requests to showbiz-pro upload endpoints with .zip files

Network Indicators:

HTTP POST requests containing ZIP archives to plugin upload handlers

SIEM Query:

source="web_logs" AND uri="*showbiz*" AND method="POST" AND file_ext="zip"

📊 Metadata

CVE ID: CVE-2015-9499

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: October 22, 2019

Last Updated: November 21, 2024

🔗 References

https://github.com/espreto/wpsploit/blob/master/modules/exploits/unix/webapp/wp_showbiz_file_upload.rb Exploit,Third Party Advisory
https://wpvulndb.com/vulnerabilities/7955 Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/35385 Exploit,Third Party Advisory,VDB Entry
https://github.com/espreto/wpsploit/blob/master/modules/exploits/unix/webapp/wp_showbiz_file_upload.rb Exploit,Third Party Advisory
https://wpvulndb.com/vulnerabilities/7955 Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/35385 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-9499, you might also want to check these: