Favicon Generator < 2.1 - Arbitrary File Upload via CSRF
Description
The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not validate files to be uploaded and does not have CSRF checks, which could allow attackers to make logged in admin upload arbitrary files such as PHP on the server
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Favicon Generator WordPress plugin before 2.1 allows arbitrary file upload, enabling remote code execution via admin session.
Vulnerability
The Favicon Generator WordPress plugin (CLOSED) before version 2.1 lacks file upload validation and CSRF protections. This allows an attacker to craft a malicious request that, when triggered by a logged-in administrator, uploads arbitrary files (e.g., PHP web shells) to the server. [1]
Exploitation
An attacker can send a crafted link or form to an authenticated admin. Without CSRF token checks, the admin's browser submits the file upload request on behalf of the attacker. The plugin does not validate the file type, so a PHP file can be uploaded. [1]
Impact
Successful exploitation results in arbitrary file upload, enabling the attacker to execute arbitrary PHP code on the server. This can lead to full site compromise, data theft, and further attacks. [1]
Mitigation
Update to version 2.1 of the Favicon Generator plugin, which fixes the issue. If updating is not possible, consider disabling the plugin or implementing additional CSRF protections and file type validation. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF protection and lack of file validation in the upload functionality allow arbitrary file upload."
Attack vector
An attacker crafts a malicious request that tricks a logged-in administrator into unknowingly uploading an arbitrary file (e.g., a PHP web shell) via the plugin's upload feature. Because the plugin lacks CSRF checks [CWE-352], the attacker can forge a request on behalf of the admin without their consent. The plugin also fails to validate the uploaded file type, so a PHP file can be submitted and stored on the server [ref_id=1].
Affected code
The Favicon Generator (CLOSED) WordPress plugin before version 2.1 lacks file validation and CSRF protection in its file upload functionality. The advisory does not specify exact function or file names within the plugin [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 2.1 of the plugin, but no patch diff is provided [ref_id=1]. To close the vulnerability, the vendor should have added CSRF nonce verification to the upload handler and implemented file-type validation (e.g., checking MIME type and extension) to reject non-image files such as PHP scripts.
Preconditions
- inputAttacker must trick a logged-in WordPress administrator into visiting a malicious page or link
- authThe administrator must have upload privileges in the Favicon Generator plugin
Reproduction
The advisory's Proof of Concept section is empty; no reproduction steps are documented in the supplied bundle [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/5e814b02-3870-4742-905d-ec03b0d31add/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.