CVE-2026-40772

Vulnerability

An arbitrary file upload vulnerability exists in the WordPress plugin GeekyBot versions 1.2.2 and earlier [1]. The vulnerability requires no authentication, allowing any unauthenticated remote attacker to upload files of arbitrary types to the server [1]. The flaw is reachable via the plugin's file upload functionality without any special configuration.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious file (e.g., a PHP web shell) to the vulnerable upload endpoint [1]. The attacker does not need any prior authentication or user interaction. The exploitation is straightforward and can be automated; this vulnerability is expected to be used in mass-exploit campaigns [1].

Impact

Successful exploitation allows the attacker to upload any file type, including executable scripts such as backdoors [1]. Once uploaded, the attacker can execute the malicious file on the server, leading to complete compromise of the WordPress site, including unauthorized access, data theft, site defacement, and further propagation [1]. The CVSS v3 score is 10.0, indicating critical severity [1].

Mitigation

The vendor has released version 1.2.3 which fixes the vulnerability [1]. Administrators should update to version 1.2.3 or later immediately [1]. As a workaround, Patchstack provides a mitigation rule to block attacks until updating is possible [1]. For Patchstack subscribers, enabling auto-update for vulnerable plugins is recommended [1].