Skip to content
/ lab-cve-2016-15042 Public

CVE-2016-15042 lab: Dockerized WordPress PoC for unauthenticated file upload in Frontend File Manager <4.0 and N‑Media Post Front‑end Form <1.1

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ImBIOS/lab-cve-2016-15042

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
debug
debug
 
 
plugins
plugins
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

CVE-2016-15042 – WordPress Frontend File Manager & N‑Media Post Front‑end Form Unauthenticated File Upload (PoC Lab)

Fully reproducible, Dockerized lab to validate and demonstrate CVE-2016-15042:

  • Frontend File Manager (nmedia-user-file-uploader) v3.7 (vulnerable < 4.0)
  • N‑Media Post Front‑end Form (wp-post-frontend) v1.0 (vulnerable < 1.1)

This repo provides a one-command setup, verification steps with Nuclei, and artifacts for reviewers. Keywords: WordPress, CVE-2016-15042, unauthenticated file upload, arbitrary file upload, PoC, security lab, Docker.

Requirements

  • Docker + Docker Compose plugin
  • curl
  • Nuclei (optional, for verification)

Quick start

./scripts/setup.sh

Once finished:

Verify the vulnerability with Nuclei (debug enabled)

Option A: Download the template locally into this lab folder and run it.

curl -sL "https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/refs/heads/main/http/cves/2016/CVE-2016-15042.yaml" -o ./CVE-2016-15042.yaml
nuclei -t ./CVE-2016-15042.yaml -u http://localhost:8090 -debug -vv \
  | tee ./debug/CVE-2016-15042-debug.txt

Option B: If you have the templates repo locally, run the template by path:

nuclei -t /path/to/nuclei-templates/http/cves/2016/CVE-2016-15042.yaml -u http://localhost:8090 -debug -vv \
  | tee ./debug/CVE-2016-15042-debug.txt

The debug output file is stored at ./debug/CVE-2016-15042-debug.txt for reviewers.

What this lab does

  • Boots a clean WordPress with the two vulnerable plugins
  • Configures guest uploads for Frontend File Manager for reliable unauthenticated testing
  • Exposes WordPress on localhost:8090

Notes

  • If ports or credentials collide in your setup, edit docker-compose.yml and re-run the script.
  • Artifacts are kept under ./debug/ for easy PR review.

References

About

CVE-2016-15042 lab: Dockerized WordPress PoC for unauthenticated file upload in Frontend File Manager <4.0 and N‑Media Post Front‑end Form <1.1

Topics

docker wordpress file-upload poc rce nuclei wp-plugin unauthenticated security-lab cve-2016-15042

Resources

Readme

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Languages