Home

Description

The Responsive Thumbnail Slider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type sanitization in the via the image uploader in versions up to 1.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected sites server using a double extension which may make remote code execution possible.

PUBLISHED Reserved 2025-07-24 | Published 2025-07-25 | Updated 2026-04-08 | Assigner Wordfence




HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-434 Unrestricted Upload of File with Dangerous Type

Product status

Default status
unaffected

Any version before 1.0.1
affected

Timeline

2015-08-29:Disclosed

Credits

Arash Khazaei finder

References

www.wordfence.com/...-d34c-4554-b670-28868dc136a5?source=cve

cxsecurity.com/issue/WLB-2015080170

www.acunetix.com/...rousel-slider-arbitrary-file-upload-1-0/

www.exploit-db.com/exploits/37998

raw.githubusercontent.com/...sive_thumbnail_slider_upload.rb

cve.org (CVE-2015-10144)

nvd.nist.gov (CVE-2015-10144)

Download JSON