VYPR

CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,669)

page 35 of 84
  • CVE-2025-12171HigNov 1, 2025
    risk 0.57cvss 8.8epss 0.00

    The RESTful Content Syndication plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ingest_image() function in versions 1.1.0 to 1.5.0. This makes it possible for authenticated attackers, with Author-level access and above, to…

  • CVE-2025-11755HigNov 1, 2025
    risk 0.57cvss 8.8epss 0.00

    The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file uploads when importing recipes via CSV in all versions up to, and including, 1.9.0. This flaw allows an attacker with at least Contributor-level…

  • CVE-2025-11499CriNov 1, 2025
    risk 0.57cvss 9.8epss 0.01

    The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image_from_external_url() function in all versions up to, and including,…

  • CVE-2025-9561HigOct 3, 2025
    risk 0.57cvss 8.8epss 0.01

    The AP Background plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization and insufficient file validation within the advParallaxBackAdminSaveSlider() handler in versions 3.8.1 to 3.8.2. This makes it possible for authenticated attackers, with…

  • CVE-2025-11221HigOct 2, 2025
    risk 0.57cvss 8.8epss 0.00

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Unrestricted Upload of File with Dangerous Type vulnerability in GTONE ChangeFlow allows Path Traversal, Accessing Functionality Not Properly Constrained by ACLs.This issue affects ChangeFlow: from…

  • CVE-2025-11020HigOct 2, 2025
    risk 0.57cvss 8.8epss 0.00

    An attacker can obtain server information using Path Traversal vulnerability to conduct SQL Injection, which possibly exploits Unrestricted Upload of File with Dangerous Type vulnerability in MarkAny SafePC Enterprise on Windows, Linux.This issue affects SafePC Enterprise:…

  • CVE-2025-10147CriSep 23, 2025
    risk 0.57cvss 9.8epss 0.01

    The Podlove Podcast Publisher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_as_original_file' function in all versions up to, and including, 4.2.6. This makes it possible for unauthenticated attackers to upload…

  • CVE-2025-9112HigSep 8, 2025
    risk 0.57cvss 8.8epss 0.01

    The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'doccure_temp_file_uploader' function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with subscriber-level and…

  • CVE-2025-58048CriAug 28, 2025
    risk 0.57cvss 9.9epss 0.00

    Paymenter is a free and open-source webshop solution for hostings. Prior to version 1.2.11, the ticket attachments functionality in Paymenter allows a malicious authenticated user to upload arbitrary files. This could result in sensitive data extraction from the database,…

  • CVE-2025-6079HigAug 16, 2025
    risk 0.57cvss 8.8epss 0.01

    The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the homework.php file in all versions up to, and including, 93.2.0. This makes it possible for authenticated attackers, with…

  • CVE-2025-8323HigJul 30, 2025
    risk 0.57cvss 8.8epss 0.01

    The e-School from Ventem has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

  • CVE-2025-5831HigJul 25, 2025
    risk 0.57cvss 8.8epss 0.01

    The Droip plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the make_google_font_offline() function in all versions up to, and excluding, 2.5.2. This makes it possible for authenticated attackers, with Subscriber-level access and…

  • CVE-2025-7852CriJul 24, 2025
    risk 0.57cvss 9.8epss 0.01

    The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_new_customer' route in all versions up to, and including, 1.0.6. The plugin’s image‐upload handler calls…

  • CVE-2025-7437CriJul 24, 2025
    risk 0.57cvss 9.8epss 0.01

    The Ebook Store plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ebook_store_save_form function in all versions up to, and including, 5.8012. This makes it possible for unauthenticated attackers to upload arbitrary files on…

  • CVE-2025-46384HigJul 20, 2025
    risk 0.57cvss 8.8epss 0.00

    CWE-434 Unrestricted Upload of File with Dangerous Type

  • CVE-2025-7340CriJul 15, 2025
    risk 0.57cvss 9.8epss 0.02

    The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload() function in all versions up to, and including, 2.2.1. This makes it…

  • CVE-2025-6423HigJul 12, 2025
    risk 0.57cvss 8.8epss 0.01

    The BeeTeam368 Extensions plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_submit_upload_file() function in all versions up to, and including, 2.3.5. This makes it possible for authenticated attackers with…

  • CVE-2025-4413HigJun 18, 2025
    risk 0.57cvss 8.8epss 0.01

    The Pixabay Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the pixabay_upload function in all versions up to, and including, 3.4. This makes it possible for authenticated attackers, with Author-level access and above,…

  • CVE-2025-5395HigJun 11, 2025
    risk 0.57cvss 8.8epss 0.01

    The WordPress Automatic Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'core.php' file in all versions up to, and including, 3.115.0. This makes it possible for authenticated attackers, with Author-level access…

  • CVE-2025-4387HigJun 10, 2025
    risk 0.57cvss 8.8epss 0.00

    The Abandoned Cart Pro for WooCommerce plugin contains an authenticated arbitrary file upload vulnerability due to missing file type validation in the wcap_add_to_cart_popup_upload_files function in all versions up to, and including, 9.16.0. This makes it possible for an…