Critical: Remote Command Execution in WordPress Form Manager Plugin (CVE-2015-7806)

Research / Security Alerts / Posted October 23, 2015

On the 9th October researchers at AppCheck discovered a critical Remote Command Execution (RCE) in the popular WordPress plugin Form Manager which allows an attacker with an unprivileged account (including a self-registered account) to execute arbitrary commands on the host. The vulnerability was reported and fixed on the 12th October.

Demonstration Video

See details and a demonstration of the vulnerability here.

Exploit Script

Here is an example exploit script for this vulnerability: wp-forms-manager-CVE-2015-7806.py

Solution

The vulnerability has now been resolved by the developer: please upgrade this module to >= 1.7.3

Get started with Appcheck

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial

Your details IP addresses URLs

Your details

Full Name

Company Name

Work Email

Telephone

Where did you hear about AppCheck?

IP Addresses

Please enter your IP address ranges

back next

URLs

Please enter full URLs for your web applications, and both http and https where appropriate

I have read and agreed to our Privacy Policy

I agree to receive information and commercial offers about AppCheck Ltd.

back