VYPR

CWE-434

Unrestricted Upload of File with Dangerous Type

BaseDraftLikelihood: Medium

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1

CVEs mapped to this weakness (1,669)

page 5 of 84
  • CVE-2017-1002008CriSep 14, 2017
    risk 0.68cvss 9.8epss 0.17

    Vulnerability in wordpress plugin membership-simplified-for-oap-members-only v1.58, The file download code located membership-simplified-for-oap-members-only/download.php does not check whether a user is logged in and has download privileges.

  • CVE-2017-1002003CriSep 14, 2017
    risk 0.68cvss 9.8epss 0.12

    Vulnerability in wordpress plugin wp2android-turn-wp-site-into-android-app v1.1.4, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com.

  • CVE-2017-1002002CriSep 14, 2017
    risk 0.68cvss 9.8epss 0.13

    Vulnerability in wordpress plugin webapp-builder v2.0, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com/

  • CVE-2017-1002001CriSep 14, 2017
    risk 0.68cvss 9.8epss 0.11

    Vulnerability in wordpress plugin mobile-app-builder-by-wappress v1.05, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com.

  • CVE-2024-8425CriFeb 28, 2025
    risk 0.67cvss 9.8epss 0.04

    The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.9.2. This makes…

  • CVE-2024-49607CriOct 20, 2024
    risk 0.67cvss 10.0epss 0.01

    Unrestricted Upload of File with Dangerous Type vulnerability in redhopit WP Dropbox Dropins wp-dropbox-dropins allows Upload a Web Shell to a Web Server.This issue affects WP Dropbox Dropins: from n/a through <= 1.0.

  • CVE-2024-5084CriMay 23, 2024
    risk 0.67cvss 9.8epss 0.51

    The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to…

  • CVE-2018-11523CriMay 29, 2018
    risk 0.67cvss 9.8epss 0.10

    upload.php on NUUO NVRmini 2 devices allows Arbitrary File Upload, such as upload of .php files.

  • CVE-2018-6411CriMay 26, 2018
    risk 0.67cvss 9.8epss 0.06

    An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection.

  • CVE-2014-4912CriMar 22, 2018
    risk 0.67cvss 9.8epss 0.09

    An Arbitrary File Upload issue was discovered in Frog CMS 0.9.5 due to lack of extension validation.

  • CVE-2018-7316CriFeb 22, 2018
    risk 0.67cvss 9.8epss 0.09

    Arbitrary File Upload exists in the Proclaim 9.1.1 component for Joomla! via a mediafileform action.

  • CVE-2017-15990CriOct 31, 2017
    risk 0.67cvss 9.8epss 0.08

    Php Inventory & Invoice Management System allows Arbitrary File Upload via dashboard/edit_myaccountdetail/.

  • CVE-2017-15962CriOct 29, 2017
    risk 0.67cvss 9.8epss 0.05

    iStock Management System 1.0 allows Arbitrary File Upload via user/profile.

  • CVE-2026-1306CriFeb 14, 2026
    risk 0.66cvss 9.8epss 0.04

    The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary…

  • CVE-2025-7441CriAug 16, 2025
    risk 0.66cvss 9.8epss 0.37

    The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible…

  • CVE-2025-22654CriFeb 18, 2025
    risk 0.66cvss 10.0epss 0.01

    Unrestricted Upload of File with Dangerous Type vulnerability in kodeshpa Simplified simplified allows Using Malicious Files.This issue affects Simplified: from n/a through <= 1.0.6.

  • CVE-2024-6313CriJul 9, 2024
    risk 0.66cvss 9.8epss 0.01

    The Gutenberg Forms plugin for WordPress is vulnerable to arbitrary file uploads due to the users can specify the allowed file types in the 'upload' function in versions up to, and including, 2.2.9. This makes it possible for unauthenticated attackers to upload arbitrary files…

  • CVE-2024-34555CriMay 14, 2024
    risk 0.66cvss 10.0epss 0.01

    Unrestricted Upload of File with Dangerous Type vulnerability in URBAN BASE Z-Downloads.This issue affects Z-Downloads: from n/a through 1.11.3.

  • CVE-2026-40772CriJun 15, 2026
    risk 0.65cvss 10.0epss 0.00

    Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.

  • CVE-2026-40412CriMay 22, 2026
    risk 0.65cvss 10.0epss 0.01

    Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code over a network.