VYPR

CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,669)

page 34 of 84
  • CVE-2025-2155HigDec 24, 2025
    risk 0.57cvss 8.8epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in Echo Call Center Services Trade and Industry Inc. Specto CM allows Remote Code Inclusion. This issue affects Specto CM: before 17032025.

  • CVE-2025-13329CriDec 20, 2025
    risk 0.57cvss 9.8epss 0.01

    The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes it possible for…

  • CVE-2023-53956HigDec 19, 2025
    risk 0.57cvss 8.8epss 0.01

    Flatnux 2021-03.25 contains an authenticated file upload vulnerability that allows administrative users to upload arbitrary PHP files through the file manager. Attackers with admin credentials can upload malicious PHP scripts to the web root directory, enabling remote code…

  • CVE-2023-53869HigDec 15, 2025
    risk 0.57cvss epss 0.00

    WEBIGniter 28.7.23 contains a file upload vulnerability that allows authenticated attackers to upload and execute dangerous PHP files through the media function. Attackers can leverage any created account to upload malicious PHP scripts that enable remote code execution on the…

  • CVE-2025-13094HigDec 13, 2025
    risk 0.57cvss 8.8epss 0.00

    The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Author-level…

  • CVE-2025-12968HigDec 12, 2025
    risk 0.57cvss 8.8epss 0.01

    The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.42. This is due to the `upload_file` function in the `infility_import_file` class only validating…

  • CVE-2025-14390HigDec 10, 2025
    risk 0.57cvss 8.8epss 0.00

    The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5.0.4. This is due to missing or incorrect nonce validation on the video_merchant_add_video_file() function. This makes it possible for unauthenticated attackers to upload arbitrary…

  • CVE-2025-12673CriDec 6, 2025
    risk 0.57cvss 9.8epss 0.01

    The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to upload arbitrary…

  • CVE-2025-12154HigDec 5, 2025
    risk 0.57cvss 8.8epss 0.00

    The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb() function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and…

  • CVE-2025-12153HigDec 5, 2025
    risk 0.57cvss 8.8epss 0.00

    The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload…

  • CVE-2025-13543HigDec 4, 2025
    risk 0.57cvss 8.8epss 0.01

    The PostGallery plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'PostGalleryUploader' class functions in all versions up to, and including, 1.12.5. This makes it possible for authenticated attackers, with subscriber-level…

  • CVE-2025-13827HigDec 2, 2025
    risk 0.57cvss epss 0.00

    Summary Arbitrary files can be uploaded via the GrapesJS Builder, as the types of files that can be uploaded are not restricted. ImpactIf the media folder is not restricted from running files this can lead to a remote code execution.

  • CVE-2025-13597CriNov 25, 2025
    risk 0.57cvss 9.8epss 0.01

    The AI Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.0.11. This makes it possible for unauthenticated attackers to download arbitrary GitHub…

  • CVE-2025-13595CriNov 25, 2025
    risk 0.57cvss 9.8epss 0.01

    The CIBELES AI plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.10.8. This makes it possible for unauthenticated attackers to download arbitrary GitHub…

  • CVE-2025-12138HigNov 21, 2025
    risk 0.57cvss 8.8epss 0.01

    The URL Image Importer plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.0.6. This is due to the plugin relying on a user-controlled Content-Type HTTP header to validate file uploads in…

  • CVE-2025-13069HigNov 18, 2025
    risk 0.57cvss 8.8epss 0.01

    The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.1.3. This is due to insufficient file type validation detecting ICO files, allowing double extension files with the appropriate magic bytes to…

  • CVE-2025-12775HigNov 18, 2025
    risk 0.57cvss 8.8epss 0.01

    The WP Dropzone plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 1.1.0 via the `ajax_upload_handle` function. This is due to the chunked upload functionality writing files directly to the uploads directory before any…

  • CVE-2025-12161HigNov 8, 2025
    risk 0.57cvss 8.8epss 0.00

    The Smart Auto Upload Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the auto-image creation functionality in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with…

  • CVE-2025-12682CriNov 4, 2025
    risk 0.57cvss 9.8epss 0.01

    The Easy Upload Files During Checkout plugin for WordPress is vulnerable to arbitrary JavaScript file uploads due to missing file type validation in the 'file_during_checkout' function in all versions up to, and including, 2.9.8. This makes it possible for unauthenticated…

  • CVE-2025-11724HigNov 4, 2025
    risk 0.57cvss 8.8epss 0.01

    The EM Beer Manager plugin for WordPress is vulnerable to arbitrary file upload leading to remote code execution in all versions up to, and including, 3.2.3. This is due to missing file type validation in the EMBM_Admin_Untappd_Import_image() function and missing authorization…