Holding Pattern Theme <= 0.6 – Arbitrary File Upload | CVE 2015-1172 | Theme Vulnerabilities

Description

An attacker can exploit this vulnerability to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation.

Disclosure timeline:

2015-01-14 Vendor Alerted via email.
2015-01-14 Fix Requested via email.
2015-01-14 Vendor made clear no patch will be available.
2015-01-18 Public disclosure.

Currently we are not aware of any official solution for this vulnerability. Product is EOL and no security fixes will be made available.

Temporary solution may be to remove the file admin/upload-file.php

Affects Themes

holding_pattern

No known fix

References

CVE

URL

https://packetstormsecurity.com/files/#130282/

URL

https://www.securityfocus.com/archive/1/534635/30/0/threaded

Miscellaneous

Submitter

Alexander Borg

Submitter website

http://www.servernet.se/

Verified

Yes

WPVDB ID

dd73c962-a565-4053-8cdc-c7d88b2bfaae

Timeline

Publicly Published

2015-02-22 (about 11 years ago)

Added

2015-02-09 (about 11 years ago)

Last Updated

2019-10-21 (about 6 years ago)

Other

Published

Title

Published

2014-08-01

Title

wp-gpx-max version 1.1.21 - Arbitrary File Upload

Published

2014-08-01

Title

Vk Gallery 1.1.0 - Shell Upload

Published

2025-08-21

Title

Developer Tools <= 1.1.3 – Unauthenticated Arbitrary File Upload

Published

2026-01-13

Title

Blogistic <= 1.0.5 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2024-10-17

Title

Nice Backgrounds <= 1.0 - Authenticated (Subscriber+) Arbitrary File Upload