High severity7.2NVD Advisory· Published Jul 19, 2025· Updated Jun 17, 2026
CVE-2015-10133
CVE-2015-10133
Description
The Subscribe to Comments for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.1.2 via the Path to header value. This allows authenticated attackers, with administrative privileges and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This same function can also be used to execute arbitrary PHP code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=2.1.2
- markjaquith/Subscribe to Commentsv5Range: 0
Patches
Vulnerability mechanics
References
5- advisories.dxw.com/advisories/admin-only-local-file-inclusion-and-arbitrary-code-execution-in-subscribe-to-comments-2-1-2/nvdExploitThird Party Advisory
- packetstormsecurity.com/files/132694/nvdExploitThird Party Advisory
- seclists.org/fulldisclosure/2015/Jul/71nvdExploitMailing List
- www.wordfence.com/threat-intel/vulnerabilities/id/f92784a7-f2b3-47f8-b03f-4e234b57e40anvdThird Party Advisory
- plugins.trac.wordpress.org/changesetnvdProductRelease Notes
News mentions
0No linked articles in our index yet.