CVE-2026-9227
Description
The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbee_file_and_ext_json function. This is due to a flawed strpos() substring check that only verifies whether the filename contains the string '.json' rather than confirming the filename ends with a .json extension, allowing double-extension filenames like shell.json.php to bypass validation. This makes it possible for authenticated attackers, with author-level access and above, to upload files that may be executable, which makes remote code execution possible.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The GutenBee plugin for WordPress has an arbitrary file upload vulnerability due to a flawed extension check, allowing authenticated attackers to achieve remote code execution.
Vulnerability
The GutenBee – Gutenberg Blocks plugin for WordPress contains an arbitrary file upload vulnerability in all versions up to and including 2.20.1. The flaw resides in the gutenbee_file_and_ext_json function, which uses a strpos() call to verify that the filename contains the substring '.json' rather than confirming the filename ends with a .json extension. This allows double-extension filenames like shell.json.php to bypass validation, enabling the upload of potentially executable files [1][2][3][4].
Exploitation
An authenticated attacker with at least author-level access to a WordPress site can exploit this vulnerability. The attacker can craft a file with a name such as shell.json.php, which passes the flawed substring check. When the file is uploaded via the plugin's mechanism, it is stored on the server. The attacker does not need any special privileges beyond author-level access, and no user interaction is required [1][2][3][4].
Impact
Successful exploitation allows the attacker to upload arbitrary files, including PHP scripts, that can then be executed on the server. This leads to remote code execution (RCE) in the context of the web server, potentially allowing full compromise of the WordPress site, including data theft, site defacement, or further attacks on the underlying server [1][2][3][4].
Mitigation
As of the publication date of 2026-05-28, a patched version has not been disclosed in the available references. The vulnerability affects all versions up to and including 2.20.1. Users should monitor the plugin's update page for a fixed release. No workaround is provided in the references. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2][3][4].
- https://plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.0/gutenbee.php#L579
- https://plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.0/gutenbee.php#L571
- https://plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.0/gutenbee.php#L570
- https://plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.1/gutenbee.php#L579
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1bde934cdecf6FIXED: Remove JSON upload whitelisting (leftover from experimental Lottie support). Fixes CVE-2026-9227 (props Athiwat Tiprasaharn (Jitlada))
1 file changed · +0 −16
gutenbee.php+0 −16 modified@@ -565,22 +565,6 @@ function gutenbee_has_block_in_reusable( $block_name, $id = false ) { return false; } -// TODO think what to do here enabling JSON uploads -add_filter( 'wp_check_filetype_and_ext', 'gutenbee_file_and_ext_json', 10, 4 ); -function gutenbee_file_and_ext_json( $types, $file, $filename, $mimes ) { - if ( false !== strpos( $filename, '.json' ) ) { - $types['ext'] = 'json'; - $types['type'] = 'application/json'; - } - return $types; -} - -add_filter( 'upload_mimes', 'gutenbee_mime_types' ); -function gutenbee_mime_types( $mimes ) { - $mimes['json'] = 'application/json'; - return $mimes; -} - add_filter( 'plugin_action_links_gutenbee/gutenbee.php', 'gutenbee_settings_link' ); function gutenbee_settings_link( $links ) { $action_links = array(
Vulnerability mechanics
Root cause
"A flawed `strpos()` substring check in `gutenbee_file_and_ext_json` only verifies that the filename contains `.json` anywhere, rather than confirming the filename ends with `.json`, allowing double-extension filenames like `shell.json.php` to bypass file-type validation."
Attack vector
An authenticated attacker with at least Author-level access can upload a file with a double extension such as `shell.json.php`. The flawed `strpos()` check in `gutenbee_file_and_ext_json` sees `.json` anywhere in the filename and overrides the file type to `application/json`, bypassing WordPress's normal extension-based validation. Because the file actually ends in `.php`, the server may execute it as PHP code, leading to remote code execution. The attack is network-based and requires no special configuration beyond the default WordPress media upload capability granted to Authors.
Affected code
The vulnerable code is the `gutenbee_file_and_ext_json` function in `gutenbee.php` (lines 568–573 of the vulnerable version). This function was hooked into `wp_check_filetype_and_ext` and used `strpos( $filename, '.json' )` to check whether the filename contains the substring `.json` anywhere, rather than verifying the filename ends with `.json`. The patch removes the entire function and its associated `upload_mimes` filter [patch_id=2868995].
What the fix does
The patch [patch_id=2868995] removes the entire `gutenbee_file_and_ext_json` function and the `gutenbee_mime_types` filter that allowed JSON uploads. The commit message states this was "leftover from experimental Lottie support." By deleting the flawed `strpos()`-based whitelist, WordPress's built-in file-type validation (which checks the actual file extension) is no longer overridden, preventing double-extension filenames from being accepted as valid JSON uploads.
Preconditions
- authAttacker must have an authenticated WordPress account with Author-level access or higher.
- configThe GutenBee plugin must be installed and active in a version up to 2.20.1.
- inputThe WordPress media upload functionality must be accessible to the attacker's role.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/cssigniter/gutenbee/commit/bde934cdecf67a4de1d6548cc1fc6c59bc6690e5nvd
- plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.0/gutenbee.phpnvd
- plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.0/gutenbee.phpnvd
- plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.0/gutenbee.phpnvd
- plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.1/gutenbee.phpnvd
- plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.1/gutenbee.phpnvd
- plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.1/gutenbee.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/2d20e8c9-975d-4e8c-8bea-50935853c7d4nvd
News mentions
0No linked articles in our index yet.