CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

CWE-669

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,190)

page 16 of 60

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2025-46264	Cri	0.64	9.9	0.00	Apr 24, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in blubrry PowerPress Podcasting powerpress allows Upload a Web Shell to a Web Server.This issue affects PowerPress Podcasting: from n/a through <= 11.12.5.
CVE-2021-4455	Cri	0.64	9.8	0.02	Apr 19, 2025	The Wordpress Plugin Smart Product Review plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-1093	Cri	0.64	9.8	0.02	Apr 19, 2025	The AIHub theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the generate_image function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-32682	Cri	0.64	9.9	0.00	Apr 17, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through <= 8.6.4.
CVE-2025-32652	Cri	0.64	9.9	0.00	Apr 17, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in solacewp Solace Extra solace-extra allows Using Malicious Files.This issue affects Solace Extra: from n/a through <= 1.3.1.
CVE-2025-27282	Cri	0.64	9.9	0.00	Apr 17, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in rockgod100 Theme File Duplicator theme-file-duplicator allows Using Malicious Files.This issue affects Theme File Duplicator: from n/a through <= 1.3.
CVE-2025-32579	Cri	0.64	9.9	0.00	Apr 11, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in SoftClever Limited Sync Posts sync-posts allows Upload a Web Shell to a Web Server.This issue affects Sync Posts: from n/a through <= 1.0.
CVE-2025-32140	Cri	0.64	9.9	0.00	Apr 10, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in Nirmal Kumar Ram WP Remote Thumbnail wp-remote-thumbnail allows Upload a Web Shell to a Web Server.This issue affects WP Remote Thumbnail: from n/a through <= 1.3.2.
CVE-2025-2005	Cri	0.64	9.8	0.03	Apr 2, 2025	The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and including, 3.2.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-2512	Cri	0.64	9.8	0.02	Mar 19, 2025	The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2024-13011	Cri	0.64	9.8	0.02	Feb 10, 2025	The WP Foodbakery plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'upload_publisher_profile_image' function in versions up to, and including, 4.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-23918	Cri	0.64	9.9	0.00	Jan 22, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in Enrico Sandoli Smallerik File Browser smallerik-file-browser allows Upload a Web Shell to a Web Server.This issue affects Smallerik File Browser: from n/a through <= 1.1.
CVE-2025-22782	Cri	0.64	9.9	0.00	Jan 15, 2025	Unrestricted Upload of File with Dangerous Type vulnerability in Web Ready Now WR Price List Manager For Woocommerce wr-price-list-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects WR Price List Manager For Woocommerce: from n/a through <= 1.0.8.
CVE-2022-41573	Cri	0.64	9.8	0.10	Jan 7, 2025	An issue was discovered in Ovidentia 8.3. The file upload feature does not prevent the uploading of executable files. A user can upload a .png file containing PHP code and then rename it to have the .php extension. It will then be accessible at an images/common/ URI for remote code execution.
CVE-2024-55078	Cri	0.64	9.8	0.00	Jan 3, 2025	An arbitrary file upload vulnerability in the component /adminUser/updateImg of WukongCRM-11.0-JAVA v11.3.3 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2024-56057	Cri	0.64	9.9	0.01	Dec 18, 2024	Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through < 1.9.9.5.2.
CVE-2024-56052	Cri	0.64	9.9	0.01	Dec 18, 2024	Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through < 1.9.9.5.2.
CVE-2024-56050	Cri	0.64	9.9	0.01	Dec 18, 2024	Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through < 1.9.9.5.3.
CVE-2024-54370	Cri	0.64	9.9	0.01	Dec 16, 2024	Unrestricted Upload of File with Dangerous Type vulnerability in SuitePlugins Video & Photo Gallery for Ultimate Member gallery-for-ultimate-member allows Upload a Web Shell to a Web Server.This issue affects Video & Photo Gallery for Ultimate Member: from n/a through <= 1.1.0.
CVE-2024-11979	Cri	0.64	9.8	0.02	Nov 29, 2024	DreamMaker from Interinfo has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.

CVE-2025-46264CriApr 24, 2025
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in blubrry PowerPress Podcasting powerpress allows Upload a Web Shell to a Web Server.This issue affects PowerPress Podcasting: from n/a through <= 11.12.5.
CVE-2021-4455CriApr 19, 2025
risk 0.64cvss 9.8epss 0.02
The Wordpress Plugin Smart Product Review plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-1093CriApr 19, 2025
risk 0.64cvss 9.8epss 0.02
The AIHub theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the generate_image function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-32682CriApr 17, 2025
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through <= 8.6.4.
CVE-2025-32652CriApr 17, 2025
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in solacewp Solace Extra solace-extra allows Using Malicious Files.This issue affects Solace Extra: from n/a through <= 1.3.1.
CVE-2025-27282CriApr 17, 2025
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in rockgod100 Theme File Duplicator theme-file-duplicator allows Using Malicious Files.This issue affects Theme File Duplicator: from n/a through <= 1.3.
CVE-2025-32579CriApr 11, 2025
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in SoftClever Limited Sync Posts sync-posts allows Upload a Web Shell to a Web Server.This issue affects Sync Posts: from n/a through <= 1.0.
CVE-2025-32140CriApr 10, 2025
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Nirmal Kumar Ram WP Remote Thumbnail wp-remote-thumbnail allows Upload a Web Shell to a Web Server.This issue affects WP Remote Thumbnail: from n/a through <= 1.3.2.
CVE-2025-2005CriApr 2, 2025
risk 0.64cvss 9.8epss 0.03
The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and including, 3.2.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-2512CriMar 19, 2025
risk 0.64cvss 9.8epss 0.02
The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2024-13011CriFeb 10, 2025
risk 0.64cvss 9.8epss 0.02
The WP Foodbakery plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'upload_publisher_profile_image' function in versions up to, and including, 4.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-23918CriJan 22, 2025
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Enrico Sandoli Smallerik File Browser smallerik-file-browser allows Upload a Web Shell to a Web Server.This issue affects Smallerik File Browser: from n/a through <= 1.1.
CVE-2025-22782CriJan 15, 2025
risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Web Ready Now WR Price List Manager For Woocommerce wr-price-list-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects WR Price List Manager For Woocommerce: from n/a through <= 1.0.8.
CVE-2022-41573CriJan 7, 2025
risk 0.64cvss 9.8epss 0.10
An issue was discovered in Ovidentia 8.3. The file upload feature does not prevent the uploading of executable files. A user can upload a .png file containing PHP code and then rename it to have the .php extension. It will then be accessible at an images/common/ URI for remote code execution.
CVE-2024-55078CriJan 3, 2025
risk 0.64cvss 9.8epss 0.00
An arbitrary file upload vulnerability in the component /adminUser/updateImg of WukongCRM-11.0-JAVA v11.3.3 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2024-56057CriDec 18, 2024
risk 0.64cvss 9.9epss 0.01
Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through < 1.9.9.5.2.
CVE-2024-56052CriDec 18, 2024
risk 0.64cvss 9.9epss 0.01
Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through < 1.9.9.5.2.
CVE-2024-56050CriDec 18, 2024
risk 0.64cvss 9.9epss 0.01
Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through < 1.9.9.5.3.
CVE-2024-54370CriDec 16, 2024
risk 0.64cvss 9.9epss 0.01
Unrestricted Upload of File with Dangerous Type vulnerability in SuitePlugins Video & Photo Gallery for Ultimate Member gallery-for-ultimate-member allows Upload a Web Shell to a Web Server.This issue affects Video & Photo Gallery for Ultimate Member: from n/a through <= 1.1.0.
CVE-2024-11979CriNov 29, 2024
risk 0.64cvss 9.8epss 0.02
DreamMaker from Interinfo has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.