Filr CVE-2026-28133
HIGHSeverity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in WP Chill Filr filr-protection allows Upload a Web Shell to a Web Server.This issue affects Filr: from n/a through <= 1.2.12.
AnalysisAI
Arbitrary file upload in Filr WordPress plugin versions ≤1.2.12 allows authenticated attackers with low privileges to upload web shells, achieving remote code execution with changed scope (S:C). Despite high CVSS 8.5, exploitation requires authentication and moderately complex conditions (AC:H). EPSS probability remains very low at 0.03% (10th percentile), and no active exploitation or public proof-of-concept has been identified. Patchstack disclosure indicates this is a targeted vulnerability requiring specific WordPress role permissions rather than mass-exploitable issue.
Technical ContextAI
This vulnerability stems from CWE-434 (Unrestricted Upload of File with Dangerous Type) in the Filr WordPress plugin by WP Chill. The plugin fails to properly validate file types and extensions during upload operations, allowing malicious file execution. The 'changed scope' indicator (S:C) in the CVSS vector suggests the vulnerability enables attackers to break out of the plugin's security context and execute code in the broader WordPress/web server environment. WordPress file upload vulnerabilities typically exploit inadequate MIME type checking, missing file extension whitelisting, or bypasses using double extensions or null bytes. The AC:H (high attack complexity) suggests exploitation requires specific knowledge of plugin internals, timing conditions, or non-default configurations that aren't universally present across all installations.
Affected ProductsAI
WordPress plugin Filr (also known as filr-protection) by WP Chill, all versions from earliest release through version 1.2.12 inclusive. The vulnerability report from Patchstack (audit@patchstack.com) identifies the specific affected range as n/a through ≤1.2.12, indicating all historical versions contain this flaw. No CPE identifier provided in available data. Vendor advisory and technical details available at Patchstack vulnerability database reference https://patchstack.com/database/Wordpress/Plugin/filr-protection/vulnerability/wordpress-filr-plugin-1-2-12-arbitrary-file-upload-vulnerability.
RemediationAI
Upgrade Filr plugin to version 1.2.13 or later if available (exact patched version not independently confirmed from provided data-verify current version status at WordPress plugin repository or Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/filr-protection/vulnerability/wordpress-filr-plugin-1-2-12-arbitrary-file-upload-vulnerability). If immediate upgrade is not feasible, implement compensating controls: restrict Filr plugin usage to only Administrator and Editor roles through WordPress capability filtering (side effect: legitimate Contributors/Authors lose access to plugin features); implement web application firewall rules to block PHP/executable file uploads to plugin directories (may cause false positives for legitimate file types); disable the Filr plugin entirely until patched version is confirmed and deployed (eliminates plugin functionality). Monitor WordPress user accounts with Contributor-level or higher permissions for suspicious activity. Review existing uploaded files in Filr directories for unexpected executable content (PHP, JSP, ASPX extensions).
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today