Gianni Angelozzi

**Name of the Vulnerable Software and Affected Versions** jQuery File Upload Plugin version 6.4.4 Creative Solutions Creative Contact Form versions prior to 1.0.0 for WordPress Creative Solutions Creative Contact Form versions prior to 2.0.1 for Joomla! **Description** The issue allows remote attackers to execute arbitrary code by uploading a PHP file with a PHP extension, then accessing it via a direct request to the file in `files/`. This has been exploited in the wild in October 2014. **Recommendations** For jQuery File Upload Plugin version 6.4.4, update to a version that fixes the unrestricted file upload vulnerability. For Creative Solutions Creative Contact Form before 1.0.0 for WordPress, update to version 1.0.0 or later. For Creative Solutions Creative Contact Form before 2.0.1 for Joomla!, update to version 2.0.1 or later. As a temporary workaround, consider restricting access to the `files/` directory to minimize the risk of exploitation.