Login Sign Up

CVE-2016-15042

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows unauthenticated attackers to upload arbitrary files to WordPress sites using vulnerable versions of the Frontend File Manager or N-Media Post Front-end Form plugins. Due to missing file type validation in AJAX endpoints, attackers can upload malicious files like PHP shells, potentially leading to remote code execution. Any WordPress site with these plugins installed and not updated is affected.

💻 Affected Systems

Products:
  • Frontend File Manager WordPress plugin
  • N-Media Post Front-end Form WordPress plugin
Versions: Frontend File Manager < 4.0, N-Media Post Front-end Form < 1.1
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default plugin configurations; no special settings required for exploitation.

📦 What is this software?

Frontend File Manager by Najeebmedia

View all CVEs affecting Frontend File Manager →

Post Front End Form by Najeebmedia

View all CVEs affecting Post Front End Form →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via remote code execution, allowing attackers to execute arbitrary commands, steal data, deface websites, or install persistent backdoors.

🟠

Likely Case

Attackers upload web shells to gain unauthorized access, modify content, or use the server for malicious activities like hosting phishing pages or distributing malware.

🟢

If Mitigated

If file uploads are restricted via web application firewalls or server configurations, impact may be limited to denial-of-service or unauthorized file storage without execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward via HTTP POST requests to vulnerable AJAX endpoints; public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Frontend File Manager 4.0+, N-Media Post Front-end Form 1.1+

Vendor Advisory: https://wordpress.org/plugins/nmedia-user-file-uploader/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Update Frontend File Manager to version 4.0 or higher and N-Media Post Front-end Form to version 1.1 or higher. 4. If updates are unavailable, deactivate and delete the plugins immediately.

🔧 Temporary Workarounds

Block Vulnerable AJAX Endpoints

linux

Use web application firewall or .htaccess to block access to nm_filemanager_upload_file and nm_postfront_upload_file endpoints.

# Add to .htaccess for Apache:
RewriteEngine On
RewriteRule ^wp-admin/admin-ajax\.php\?action=nm_filemanager_upload_file - [F]
RewriteRule ^wp-admin/admin-ajax\.php\?action=nm_postfront_upload_file - [F]

Restrict File Uploads via PHP Configuration

all

Modify PHP settings to disable file uploads or restrict allowed file types globally.

# Add to php.ini:
file_uploads = Off
# Or restrict uploads:
upload_max_filesize = 1M
post_max_size = 1M

🧯 If You Can't Patch

  • Immediately deactivate and remove the vulnerable plugins from the WordPress installation.
  • Implement strict file upload validation at the server level using a web application firewall (WAF) to block malicious uploads.

🔍 How to Verify

Check if Vulnerable:

Check WordPress plugin versions in admin panel: Frontend File Manager < 4.0 or N-Media Post Front-end Form < 1.1 indicates vulnerability.

Check Version:

wp plugin list --field=name,version (if WP-CLI is installed)

Verify Fix Applied:

Confirm plugin versions are updated to Frontend File Manager >= 4.0 and N-Media Post Front-end Form >= 1.1 via WordPress admin > Plugins.

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /wp-admin/admin-ajax.php with action parameters nm_filemanager_upload_file or nm_postfront_upload_file
  • Uploads of files with extensions like .php, .phtml, .php5 in upload directories

Network Indicators:

  • Unusual file upload traffic to WordPress AJAX endpoints from unauthenticated sources
  • Spikes in POST request size to admin-ajax.php

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND (action="nm_filemanager_upload_file" OR action="nm_postfront_upload_file")

📊 Metadata

CVE ID: CVE-2016-15042
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: October 16, 2024
Last Updated: October 30, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-15042, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)