CVE-2015-9271
Description
The VideoWhisper videowhisper-video-conference-integration plugin 4.91.8 for WordPress allows remote attackers to execute arbitrary code because vc/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code, a different vulnerability than CVE-2014-1905.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=4.91.8+ 1 more
- (no CPE)range: <=4.91.8
- (no CPE)range: =4.91.8
Patches
Vulnerability mechanics
Root cause
"The plugin fails to properly validate file extensions, allowing arbitrary file uploads that can be interpreted as executable code."
Attack vector
An unauthenticated remote attacker can upload a file with an extension like ".phtml" or ".Php.shtml" to a WordPress site running the vulnerable plugin. The plugin's upload script, `vc/vw_upload.php`, only checks if the last four characters of the filename are within an allowed list, and a basic check for ".php" can be bypassed. This allows for remote code execution if the server is configured to interpret such files as executable.
Affected code
The vulnerability exists in the file `videowhisper-video-conference-integration/vc/vw_upload.php`. The script processes uploaded files, and its validation logic for file extensions is flawed. It checks the last four characters of the filename and has a bypassable check for ".php".
What the fix does
The advisory indicates that the vulnerability was not properly fixed in previous attempts, and the patch was insufficient. The vendor guidance suggests that the file extension check needs to be more robust to prevent malicious file uploads. Specifically, the check `if (strstr($filename,'.php')) exit;` is insufficient, and the extension validation `if (in_array($ext,$allowed))` does not adequately prevent files with executable content from being uploaded.
Preconditions
- authNo authentication is required to exploit this vulnerability.
- inputThe attacker must provide a crafted filename with a double extension (e.g., .Php.shtml) and a payload within the uploaded file.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.vapidlabs.com/advisory.phpmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.