VYPR

CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,669)

page 15 of 84
  • CVE-2025-11948CriOct 20, 2025
    risk 0.64cvss 9.8epss 0.01

    Document Management System developed by Excellent Infotek has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

  • CVE-2025-11391CriOct 18, 2025
    risk 0.64cvss 9.8epss 0.01

    The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image cropper functionality in all versions up to, and including, 33.0.15. This makes it possible for…

  • CVE-2023-28814CriOct 17, 2025
    risk 0.64cvss 9.8epss 0.00

    Some versions of Hikvision's iSecure Center Product have an improper file upload control vulnerability. Due to the improper verification of file to be uploaded, attackers may upload malicious files to the server. iSecure Center is software released for China's domestic market…

  • CVE-2025-10041CriOct 15, 2025
    risk 0.64cvss 9.8epss 0.01

    The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in thesave_qr_code_to_db() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary…

  • CVE-2025-6553CriOct 11, 2025
    risk 0.64cvss 9.8epss 0.01

    The Ovatheme Events Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_checkout() function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary…

  • CVE-2025-10412CriSep 23, 2025
    risk 0.64cvss 9.8epss 0.01

    The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.55.…

  • CVE-2025-9113CriSep 8, 2025
    risk 0.64cvss 9.8epss 0.01

    The Doccure Core plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'doccure_temp_upload_to_media' function in all versions up to, and including, 1.5.3. This makes it possible for unauthenticated attackers to upload arbitrary…

  • CVE-2025-31100CriAug 31, 2025
    risk 0.64cvss 9.9epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in Mojoomla School Management allows Upload a Web Shell to a Web Server.This issue affects School Management: from n/a through 1.93.1 (02-07-2025).

  • CVE-2012-10062HigAug 30, 2025
    risk 0.64cvss epss 0.01

    A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials.…

  • CVE-2025-54762CriAug 28, 2025
    risk 0.64cvss 9.8epss 0.00

    SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) allows a remote unauthenticated attacker to upload arbitrary files and execute OS commands with SYSTEM privileges.

  • CVE-2025-53970CriAug 28, 2025
    risk 0.64cvss 9.8epss 0.00

    SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) allows a remote unauthenticated attacker to upload arbitrary files and execute OS commands with SYSTEM privileges.

  • CVE-2025-53251CriAug 21, 2025
    risk 0.64cvss 9.9epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in An-Themes Pin WP pin-wp allows Upload a Web Shell to a Web Server.This issue affects Pin WP: from n/a through < 7.2.

  • CVE-2025-53213CriAug 20, 2025
    risk 0.64cvss 9.9epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ReachShip WooCommerce Multi-Carrier & Conditional Shipping elex-reachship-multi-carrier-conditional-shipping allows Using Malicious Files.This issue affects ReachShip WooCommerce Multi-Carrier &…

  • CVE-2025-6679CriAug 15, 2025
    risk 0.64cvss 9.8epss 0.01

    The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which…

  • CVE-2025-24775CriAug 14, 2025
    risk 0.64cvss 9.9epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms forms-by-made-it allows Upload a Web Shell to a Web Server.This issue affects Forms: from n/a through <= 2.9.0.

  • CVE-2012-10056HigAug 13, 2025
    risk 0.64cvss epss 0.01

    PHP Volunteer Management System v1.0.2 contains an arbitrary file upload vulnerability in its document upload functionality. Authenticated users can upload files to the mods/documents/uploads/ directory without any restriction on file type or extension. Because this directory is…

  • CVE-2025-22470CriAug 6, 2025
    risk 0.64cvss 9.8epss 0.01

    CL4/6NX Plus and CL4/6NX-J Plus (Japan model) with the firmware versions prior to 1.15.5-r1 allow crafted dangerous files to be uploaded. An arbitrary Lua script may be executed on the system with the root privilege.

  • CVE-2025-6222CriJul 18, 2025
    risk 0.64cvss 9.8epss 0.01

    The WooCommerce Refund And Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ced_rnx_order_exchange_attach_files' function in all versions up to, and…

  • CVE-2025-5746CriJul 2, 2025
    risk 0.64cvss 9.8epss 0.01

    The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled with the PrintSpace theme) and all…

  • CVE-2025-47559CriJun 17, 2025
    risk 0.64cvss 9.9epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through < 8.7.4.