CVE-2015-6967
a vulnerability was found in nibbleblog up to 4.0.4. It has been classified as critical. Affected is some unknown functionality of the file content/private/plugins/my_image/image.php of the component My Image Plugin. The manipulation with an unknown input leads to a unrestricted upload vulnerability. CWE is classifying the issue as CWE-434. The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
Target webapp is vulnerable to RCE via file upload with an executable extension(likely PHP)
Uploaded files are available in content/private/plugins/my_image
Exploit
I found the Python script that exploits CVE-2015-6967 ^b944d1
It would require a PHP payload to upload to the target web app