Skip to main content

Swiss Toolkit For WP CVE-2026-2354

| EUVDEUVD-2026-43133 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-07-11 Wordfence GHSA-xq2v-8qf4-3rg6
8.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable upload needing an Author account gives PR:L and AV:N; the substring bypass is trivially low-complexity (AC:L), and RCE yields full C:H/I:H/A:H; the required non-default feature is a deployment condition rather than an AC increase.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 05:01 vuln.today
CVE Published
Jul 11, 2026 - 03:44 cve.org
HIGH 8.8

DescriptionCVE.org

The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type validation bypass in the upload_extension_files() function in all versions up to, and including, 1.4.6. The upload_extension_files() function hooks into WordPress's wp_check_filetype_and_ext filter and uses strpos() to check if a filename contains a configured extension string, rather than verifying the actual file extension. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files (including PHP) on the affected site's server which may make remote code execution possible, granted the "Enhanced Multi-Format Image Support" feature is enabled with at least one extension (e.g., avif) in the allowed formats.

AnalysisAI

Arbitrary file upload in the Swiss Toolkit For WP WordPress plugin (versions ≤ 1.4.6) lets authenticated Author-level (and higher) users bypass file-type validation and upload executable PHP, potentially achieving remote code execution on the host. The flaw stems from the upload_extension_files() function using a substring match instead of a real extension check when the optional 'Enhanced Multi-Format Image Support' feature is enabled. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain Author-level WordPress account
Delivery
Enable/confirm multi-format image feature active
Exploit
Craft PHP file with allowed-extension substring name
Install
Upload via extension file handler bypassing strpos check
C2
Request uploaded file URL
Execute
Execute arbitrary PHP as web server
Impact
Full site compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account with Author-level privileges or higher (per CVSS PR:L), AND the plugin's optional 'Enhanced Multi-Format Image Support' feature must be enabled with at least one extension (e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 8.8) reflects network-reachable exploitation with low complexity, low privileges, no user interaction, and full CIA impact - consistent with file-upload-to-RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been granted an Author-level WordPress account on a site running Swiss Toolkit For WP ≤ 1.4.6 with the multi-format image feature enabled uploads a file named to embed an allowed substring while carrying PHP content (e.g. 'evil_avif.php'). …
Remediation No vendor-released fix version is confirmed in the available data; because the flaw affects all versions through 1.4.6, upgrade to the next release above 1.4.6 once the vendor publishes it and verify the fix against the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/06bccd2e-6891-433a-9f5b-3ec0c30afef4?source=cve) - do not assume a specific patched version number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress instances running Swiss Toolkit For WP ≤1.4.6 via plugin scan; disable the plugin immediately and audit which user accounts hold Author role or higher. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-2354 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy