CVE-2016-1000156 – CVE-2016-1000156 is a remote file upload vulner... (How to Fix)

📋 TL;DR

CVE-2016-1000156 is a remote file upload vulnerability in the Mailcwp WordPress plugin that allows attackers to upload arbitrary files to vulnerable servers. This affects WordPress sites using Mailcwp plugin version 1.100. The incomplete fix in this version still permits remote file uploads, potentially leading to complete system compromise.

💻 Affected Systems

Products:

Mailcwp WordPress Plugin

Versions: Version 1.100

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with Mailcwp plugin installed and activated.

📦 What is this software?

Mailcwp by Mailcwp Project

View all CVEs affecting Mailcwp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover via remote code execution, data theft, defacement, and lateral movement within the network.

🟠

Likely Case

Webshell upload leading to website defacement, data exfiltration, and backdoor persistence on the server.

🟢

If Mitigated

Limited impact with proper file upload restrictions, web application firewalls, and file integrity monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP POST request with file upload bypassing incomplete validation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.100

Vendor Advisory: https://wordpress.org/plugins/mailcwp/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Mailcwp plugin
4. Click 'Update Now' if available
5. If no update available, deactivate and delete the plugin
6. Install latest version from WordPress repository

🔧 Temporary Workarounds

Disable Mailcwp Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate mailcwp

Restrict File Uploads via .htaccess

linux

Block PHP file uploads to the plugin directory

<FilesMatch "\.(php|php5|phtml|phar)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block file uploads to Mailcwp endpoints
Enable file integrity monitoring on WordPress upload directories and alert on new PHP files

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for Mailcwp version 1.100

Check Version:

wp plugin list --name=mailcwp --field=version

Verify Fix Applied:

Verify Mailcwp plugin version is higher than 1.100 or plugin is removed

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /wp-content/plugins/mailcwp/upload.php with file uploads
New PHP files in upload directories with suspicious names

Network Indicators:

Unusual outbound connections from web server after file uploads
POST requests to Mailcwp endpoints with file parameters

SIEM Query:

source="web_logs" AND uri="/wp-content/plugins/mailcwp/upload.php" AND method="POST" AND size>100000

📊 Metadata

CVE ID: CVE-2016-1000156

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: December 14, 2016

Last Updated: April 12, 2025

🔗 References

http://www.vapidlabs.com/advisory.php?v=175 Third Party Advisory
https://wordpress.org/plugins/mailcwp/ Exploit,Not Applicable
http://www.vapidlabs.com/advisory.php?v=175 Third Party Advisory
https://wordpress.org/plugins/mailcwp/ Exploit,Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-1000156, you might also want to check these: