CVE-2015-10135 | The WPshop 2 – E-Commerce plugin for WordPress is vulnerable… | CVSS 9.8 CRITICAL

Description

The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaxUpload function in versions before 1.3.9.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

Metadata

CVE ID: CVE-2015-10135
State: PUBLISHED
Assigner: Wordfence
Reserved: 2025-07-18 21:18 UTC
Published: 2025-07-19 09:23 UTC
Last updated: 2026-04-08 16:45 UTC
Primary CWE: CWE-434
CWE-434 Unrestricted Upload of File with Dangerous Type
Vendor / Product: eoxia / WPshop 2 – E-Commerce
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
eoxia	WPshop 2 – E-Commerce	—	0 < 1.3.9.6

Weakness (CWE)

CWE	Source	Description
CWE-434	cna	CWE-434 Unrestricted Upload of File with Dangerous Type

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)