Total
4022 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-2125 | 2 Dattateccom, Donweb | 2 Envialosimple Email Marketing Y Newsletters, Envialosimple | 2026-04-08 | 8.8 High |
| The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the gallery_add function. This makes it possible for unauthenticated attackers to upload malicious files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The Cross-Site Request Forgery was patched in 2.4, however, nothing was done about the ability to upload arbitrary files. | ||||
| CVE-2024-9942 | 2 Dasinfomedia, Mojoomla | 2 Wpgym Gym Management System, Wordpress Gym Management System | 2026-04-08 | 9.8 Critical |
| The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the MJ_gmgt_user_avatar_image_upload() function in all versions up to, and including, 67.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-1069 | 1 Crmperks | 1 Database For Contact Form 7\, Wpforms\, Elementor Forms | 2026-04-08 | 7.2 High |
| The Contact Form Entries plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'view_page' function in versions up to, and including, 1.3.2. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-0699 | 1 Meowapps | 1 Ai Engine | 2026-04-08 | 6.6 Medium |
| The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_image_from_url' function in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Editor access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2024-29100 is likely a duplicate of this issue. | ||||
| CVE-2023-7061 | 1 Advancedfilemanager | 1 File Manager Advanced Shortcode | 2026-04-08 | 8.8 High |
| The Advanced File Manager Shortcodes plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 2.5.3. This makes it possible for authenticated attackers with contributor access or above to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2023-6846 | 1 Filemanagerpro | 1 File Manager | 2026-04-08 | 8.8 High |
| The File Manager Pro plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 8.3.4 via the mk_check_filemanager_php_syntax AJAX function. This makes it possible for authenticated attackers, with subscriber access and above, to execute code on the server. Version 8.3.5 introduces a capability check that prevents users lower than admin from executing this function. | ||||
| CVE-2023-6826 | 1 E2pdf | 1 E2pdf | 2026-04-08 | 7.2 High |
| The E2Pdf plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'import_action' function in versions up to, and including, 1.20.25. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2023-6133 | 1 Incsub | 1 Forminator | 2026-04-08 | 6.6 Medium |
| The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed. | ||||
| CVE-2023-5860 | 1 Bplugins | 1 Icons Font Loader | 2026-04-08 | 7.2 High |
| The Icons Font Loader plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2023-5822 | 1 Codedropz | 1 Drag And Drop Multiple File Upload - Contact Form 7 | 2026-04-08 | 8.1 High |
| The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if a user authorized to edit form, which means editor privileges or above, has added a 'multiple file upload' form field with '*' acceptable file types. | ||||
| CVE-2021-4449 | 2 Digitalzoomstudio, Zoomit | 2 Zoomsounds, Zoomsounds | 2026-04-08 | 9.8 Critical |
| The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to, and including, 5.96. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2021-4457 is a duplicate of this. | ||||
| CVE-2024-12042 | 1 Inspireui | 1 Mstore Api | 2026-04-08 | 5.4 Medium |
| The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to, and including, 4.16.4 due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload HTML files with arbitrary web scripts that will execute whenever a user accesses the file. | ||||
| CVE-2024-13359 | 1 Tychesoftwares | 1 Product Input Fields For Woocommerce | 2026-04-08 | 8.1 High |
| The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the add_product_input_fields_to_order_item_meta() function in all versions up to, and including, 1.12.0. This may make it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note that by default the plugin is only vulnerable to a double extension file upload attack, unless an administrators leaves the accepted file extensions field blank which can make .php file uploads possible. Please note 1.12.2 was mistakenly marked as patched while 1.12.1 was marked as vulnerable for a short period of time, this is not the case and 1.12.1 is fully patched. | ||||
| CVE-2024-13365 | 1 Cleantalk | 1 Security \& Malware Scan | 2026-04-08 | 9.8 Critical |
| The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through the checkUploadedArchive() function in all versions up to, and including, 2.149. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-13908 | 1 Bestwebsoft | 1 Smtp | 2026-04-08 | 7.2 High |
| The SMTP by BestWebSoft plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2020-36847 | 1 Simplefilelist | 1 Simple File List | 2026-04-08 | 9.8 Critical |
| The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server. | ||||
| CVE-2024-7770 | 2 Bitapps, Bitpressadmin | 2 File Manager, Bit File Manager Wordpress | 2026-04-08 | 8.8 High |
| The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-6823 | 1 Davidlingren | 1 Media Library Assistant | 2026-04-08 | 8.8 High |
| The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation involving the mla-inline-edit-upload-scripts AJAX action in all versions up to, and including, 3.18. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-1332 | 1 Brainstormforce | 1 Custom Fonts | 2026-04-08 | 6.4 Medium |
| The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2012-10020 | 2 Webmovementllc, Wordpress | 2 Foxypress, Wordpress | 2026-04-08 | 9.8 Critical |
| The FoxyPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadify.php file in versions up to, and including, 0.4.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | ||||