CVE-2016-20075
Description
WordPress Ultimate Product Catalog 3.8.6 allows authenticated users to upload arbitrary files via custom fields, leading to remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress Ultimate Product Catalog 3.8.6 allows authenticated users to upload arbitrary files via custom fields, leading to remote code execution.
Vulnerability
The vulnerability resides in the UPCP_Handle_File_Upload function in Functions/Update_Admin-Databases.php of the WordPress Ultimate Product Catalog plugin version 3.8.6 and below. The function does not validate file extensions, allowing authenticated users to upload arbitrary files through the custom fields functionality. When a custom field of type "file" is added and a product is saved, the uploaded file is moved to the wp-content/uploads/upcp-product-file-uploads/ directory without any extension check [1].
Exploitation
An attacker must have an authenticated WordPress account with at least the contributor role (or editor, author, administrator). The exploitation steps are: 1) Navigate to the "Custom fields" tab and add a new custom field with type "file". 2) Go to the "Products" tab, locate the newly added file field, select a PHP shell file, and save the product. 3) Access the uploaded shell at http(s):////wp-content/uploads/upcp-product-file-uploads/ to execute arbitrary PHP code [1]. No additional user interaction is required beyond the attacker's own actions.
Impact
Successful exploitation allows the attacker to execute arbitrary PHP code on the server, leading to full compromise of the WordPress site. The attacker gains the ability to read, write, and delete files, access the database, and potentially pivot to other systems [1][3].
Mitigation
As of the available references, the vendor (Etoile Web Design) has not released a patched version for this vulnerability [2]. Users should upgrade to a later version of the plugin if available, or disable the plugin if not needed. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog (KEV) as per available data.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<= 3.8.6+ 1 more
- (no CPE)range: <= 3.8.6
- (no CPE)range: =3.8.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing file extension validation in the UPCP_Handle_File_Upload function allows arbitrary file upload."
Attack vector
An attacker must first authenticate with a WordPress account that has at least the Contributor role (Contributor, Editor, Author, or Administrator) [ref_id=1]. The attacker then creates a custom field of type 'file' under the 'Custom fields' tab, goes to the 'Products' tab, and uploads a PHP shell via that custom file field. The uploaded shell is accessible at `wp-content/uploads/upcp-product-file-uploads/` and can be executed to achieve remote code execution [ref_id=1].
Affected code
The vulnerable code resides in `Functions/Update_Admin-Databases.php` within the function `UPCP_Handle_File_Upload`. This function does not validate the file extension of uploaded files, allowing any file type to be saved to the `wp-content/uploads/upcp-product-file-uploads/` directory [ref_id=1].
What the fix does
The advisory does not provide a patch. The root cause is that `UPCP_Handle_File_Upload` in `Functions/Update_Admin-Databases.php` calls `move_uploaded_file()` without checking the uploaded file's extension [ref_id=1]. A proper fix would validate the file extension against an allowlist (e.g., only image types) and use WordPress's built-in `wp_upload_bits()` or `wp_check_filetype()` to ensure only safe file types are stored.
Preconditions
- authAttacker must have a WordPress account with at least the Contributor role (contributor, editor, author, or administrator).
- configThe plugin must be the premium version of Ultimate Product Catalog v3.8.6 or below.
- inputAttacker must be able to access the WordPress admin panel to create custom fields and upload files.
Reproduction
1. Go to 'Custom fields' tab and add a new custom field with type 'file'. 2. Go to 'Products' tab — a new file upload field appears. 3. Select a PHP shell and save the product. 4. Access the shell at `http(s)://<wp-host>/<wp-path>/wp-content/uploads/upcp-product-file-uploads/<shell-name>` [ref_id=1].
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.