VYPR

CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,669)

page 27 of 84
  • CVE-2018-11736CriJun 5, 2018
    risk 0.60cvss 9.8epss 0.09

    An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jpeg content type for a .htaccess file.

  • CVE-2017-14840HigSep 28, 2017
    risk 0.60cvss 8.8epss 0.04

    TeamWork TicketPlus allows Arbitrary File Upload in updateProfile.

  • CVE-2017-14839HigSep 28, 2017
    risk 0.60cvss 8.8epss 0.04

    TeamWork Photo Fusion allows Arbitrary File Upload in changeAvatar and changeCover.

  • CVE-2017-14838HigSep 28, 2017
    risk 0.60cvss 8.8epss 0.04

    TeamWork Job Links allows Arbitrary File Upload in profileChange and coverChange.

  • CVE-2026-9067CriJun 10, 2026
    risk 0.59cvss 9.1epss 0.00

    The Schema & Structured Data for WP & AMP WordPress plugin before 1.60 does not check user capabilities on its frontend AJAX file-upload handlers and does not validate the actual content of uploaded files against the endpoint's intended media type, allowing unauthenticated users…

  • CVE-2026-3844CriApr 23, 2026
    risk 0.59cvss 9.8epss 0.37

    The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary…

  • CVE-2026-35174CriApr 6, 2026
    risk 0.59cvss 9.1epss 0.01

    Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows…

  • CVE-2026-2701CriApr 2, 2026
    risk 0.59cvss 9.1epss 0.49

    Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.

  • CVE-2026-32524CriMar 25, 2026
    risk 0.59cvss 9.1epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through <= 6.4.9.

  • CVE-2026-27067CriMar 19, 2026
    risk 0.59cvss 9.1epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor mobile-app-editor allows Upload a Web Shell to a Web Server.This issue affects Mobile App Editor: from n/a through <= 1.3.1.

  • CVE-2026-27540CriMar 19, 2026
    risk 0.59cvss 9.0epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture woocommerce-wholesale-lead-capture allows Using Malicious Files.This issue affects Woocommerce Wholesale Lead Capture: from n/a through <= 2.0.3.1.

  • CVE-2026-28114CriMar 5, 2026
    risk 0.59cvss 9.1epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in firassaidi WooCommerce License Manager fs-license-manager allows Upload a Web Shell to a Web Server.This issue affects WooCommerce License Manager: from n/a through <= 7.0.6.

  • CVE-2026-23802CriMar 5, 2026
    risk 0.59cvss 9.1epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine ai-engine allows Using Malicious Files.This issue affects AI Engine: from n/a through <= 3.3.2.

  • CVE-2025-69312CriJan 22, 2026
    risk 0.59cvss 9.1epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1.

  • CVE-2025-67910CriJan 8, 2026
    risk 0.59cvss 9.1epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in contentstudio Contentstudio contentstudio allows Upload a Web Shell to a Web Server.This issue affects Contentstudio: from n/a through <= 1.3.7.

  • CVE-2023-50897CriJan 5, 2026
    risk 0.59cvss 9.1epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7.

  • CVE-2025-66074CriDec 18, 2025
    risk 0.59cvss 9.0epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through <= 3.3.8.

  • CVE-2025-52758CriOct 22, 2025
    risk 0.59cvss 9.1epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy zippy allows Using Malicious Files.This issue affects Zippy: from n/a through <= 1.7.0.

  • CVE-2025-42910CriOct 14, 2025
    risk 0.59cvss 9.0epss 0.00

    Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful…

  • CVE-2025-58819CriSep 5, 2025
    risk 0.59cvss 9.1epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image bulk-featured-image allows Upload a Web Shell to a Web Server.This issue affects Bulk Featured Image: from n/a through <= 1.2.4.