CVE-2014-8739: 
PHP vulnerability analysis and mitigation

CVE-2014-8739 is an unrestricted file upload vulnerability affecting the jQuery File Upload Plugin 6.4.4, specifically in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) plugin versions before 1.0.0 for WordPress and before 2.0.1 for Joomla!. The vulnerability was discovered in October 2014 and was actively exploited in the wild (Exploit DB, OSS Security).

The vulnerability exists in the server/php/UploadHandler.php file, which allows remote attackers to execute arbitrary code by uploading a PHP file with a PHP extension and then accessing it via a direct request to the file in the files/ directory. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature (NVD).

The vulnerability allows remote attackers to execute arbitrary code on the affected system, potentially leading to complete system compromise. Since the vulnerability requires no authentication and can be exploited remotely, it poses a significant security risk to affected installations (NVD).

Users of the affected software should upgrade to Creative Contact Form version 1.0.0 or later for WordPress, and version 2.0.1 or later for Joomla!. These versions contain fixes for the vulnerability (WordPress Changelog).