CWE-434
Unrestricted Upload of File with Dangerous Type
Description
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1
CVEs mapped to this weakness (1,669)
page 27 of 84| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-11736 | Cri | 0.60 | 9.8 | 0.09 | Jun 5, 2018 | An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jpeg content type for a .htaccess file. | ||
| CVE-2017-14840 | Hig | 0.60 | 8.8 | 0.04 | Sep 28, 2017 | TeamWork TicketPlus allows Arbitrary File Upload in updateProfile. | ||
| CVE-2017-14839 | Hig | 0.60 | 8.8 | 0.04 | Sep 28, 2017 | TeamWork Photo Fusion allows Arbitrary File Upload in changeAvatar and changeCover. | ||
| CVE-2017-14838 | Hig | 0.60 | 8.8 | 0.04 | Sep 28, 2017 | TeamWork Job Links allows Arbitrary File Upload in profileChange and coverChange. | ||
| CVE-2026-9067 | Cri | 0.59 | 9.1 | 0.00 | Jun 10, 2026 | The Schema & Structured Data for WP & AMP WordPress plugin before 1.60 does not check user capabilities on its frontend AJAX file-upload handlers and does not validate the actual content of uploaded files against the endpoint's intended media type, allowing unauthenticated users… | ||
| CVE-2026-3844 | Cri | 0.59 | 9.8 | 0.37 | Apr 23, 2026 | The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary… | ||
| CVE-2026-35174 | Cri | 0.59 | 9.1 | 0.01 | Apr 6, 2026 | Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows… | ||
| CVE-2026-2701 | Cri | 0.59 | 9.1 | 0.49 | Apr 2, 2026 | Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution. | ||
| CVE-2026-32524 | Cri | 0.59 | 9.1 | 0.00 | Mar 25, 2026 | Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through <= 6.4.9. | ||
| CVE-2026-27067 | — | Cri | 0.59 | 9.1 | 0.00 | Mar 19, 2026 | Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor mobile-app-editor allows Upload a Web Shell to a Web Server.This issue affects Mobile App Editor: from n/a through <= 1.3.1. | |
| CVE-2026-27540 | Cri | 0.59 | 9.0 | 0.00 | Mar 19, 2026 | Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture woocommerce-wholesale-lead-capture allows Using Malicious Files.This issue affects Woocommerce Wholesale Lead Capture: from n/a through <= 2.0.3.1. | ||
| CVE-2026-28114 | — | Cri | 0.59 | 9.1 | 0.00 | Mar 5, 2026 | Unrestricted Upload of File with Dangerous Type vulnerability in firassaidi WooCommerce License Manager fs-license-manager allows Upload a Web Shell to a Web Server.This issue affects WooCommerce License Manager: from n/a through <= 7.0.6. | |
| CVE-2026-23802 | Cri | 0.59 | 9.1 | 0.00 | Mar 5, 2026 | Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.This issue affects AI Engine: from n/a through <= 3.3.2. | ||
| CVE-2025-69312 | Cri | 0.59 | 9.1 | 0.00 | Jan 22, 2026 | Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1. | ||
| CVE-2025-67910 | Cri | 0.59 | 9.1 | 0.00 | Jan 8, 2026 | Unrestricted Upload of File with Dangerous Type vulnerability in contentstudio Contentstudio contentstudio allows Upload a Web Shell to a Web Server.This issue affects Contentstudio: from n/a through <= 1.3.7. | ||
| CVE-2023-50897 | Cri | 0.59 | 9.1 | 0.00 | Jan 5, 2026 | Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7. | ||
| CVE-2025-66074 | Cri | 0.59 | 9.0 | 0.00 | Dec 18, 2025 | Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through <= 3.3.8. | ||
| CVE-2025-52758 | Cri | 0.59 | 9.1 | 0.00 | Oct 22, 2025 | Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy zippy allows Using Malicious Files.This issue affects Zippy: from n/a through <= 1.7.0. | ||
| CVE-2025-42910 | Cri | 0.59 | 9.0 | 0.00 | Oct 14, 2025 | Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful… | ||
| CVE-2025-58819 | Cri | 0.59 | 9.1 | 0.00 | Sep 5, 2025 | Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image bulk-featured-image allows Upload a Web Shell to a Web Server.This issue affects Bulk Featured Image: from n/a through <= 1.2.4. |
- risk 0.60cvss 9.8epss 0.09
An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jpeg content type for a .htaccess file.
- risk 0.60cvss 8.8epss 0.04
TeamWork TicketPlus allows Arbitrary File Upload in updateProfile.
- risk 0.60cvss 8.8epss 0.04
TeamWork Photo Fusion allows Arbitrary File Upload in changeAvatar and changeCover.
- risk 0.60cvss 8.8epss 0.04
TeamWork Job Links allows Arbitrary File Upload in profileChange and coverChange.
- risk 0.59cvss 9.1epss 0.00
The Schema & Structured Data for WP & AMP WordPress plugin before 1.60 does not check user capabilities on its frontend AJAX file-upload handlers and does not validate the actual content of uploaded files against the endpoint's intended media type, allowing unauthenticated users…
- risk 0.59cvss 9.8epss 0.37
The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary…
- risk 0.59cvss 9.1epss 0.01
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows…
- risk 0.59cvss 9.1epss 0.49
Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.
- risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through <= 6.4.9.
- risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor mobile-app-editor allows Upload a Web Shell to a Web Server.This issue affects Mobile App Editor: from n/a through <= 1.3.1.
- risk 0.59cvss 9.0epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture woocommerce-wholesale-lead-capture allows Using Malicious Files.This issue affects Woocommerce Wholesale Lead Capture: from n/a through <= 2.0.3.1.
- risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in firassaidi WooCommerce License Manager fs-license-manager allows Upload a Web Shell to a Web Server.This issue affects WooCommerce License Manager: from n/a through <= 7.0.6.
- risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.This issue affects AI Engine: from n/a through <= 3.3.2.
- risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1.
- risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in contentstudio Contentstudio contentstudio allows Upload a Web Shell to a Web Server.This issue affects Contentstudio: from n/a through <= 1.3.7.
- risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7.
- risk 0.59cvss 9.0epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through <= 3.3.8.
- risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy zippy allows Using Malicious Files.This issue affects Zippy: from n/a through <= 1.7.0.
- risk 0.59cvss 9.0epss 0.00
Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful…
- risk 0.59cvss 9.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image bulk-featured-image allows Upload a Web Shell to a Web Server.This issue affects Bulk Featured Image: from n/a through <= 1.2.4.