Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in denishua WPJAM Basic wpjam-basic allows Using Malicious Files.This issue affects WPJAM Basic: from n/a through <= 6.9.2.
AnalysisAI
WPJAM Basic, a WordPress plugin, contains an unrestricted file upload vulnerability (CWE-434) that allows attackers to upload malicious files without proper validation. All versions through 6.9.2 are affected, potentially enabling remote code execution or other attacks depending on server configuration. While CVSS and EPSS scores are unavailable, the nature of arbitrary file upload vulnerabilities in WordPress plugins typically carries high real-world risk due to ease of exploitation and severe impact.
Technical ContextAI
The vulnerability resides in the WPJAM Basic WordPress plugin (cpe:2.3:a:denishua:wpjam_basic:*:*:*:*:*:*:*:*), which provides content management and optimization features. The root cause is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating that the plugin fails to properly validate, restrict, or sanitize file uploads. WordPress plugins typically operate within the wp-content directory and can execute PHP code, meaning a successful file upload can result in remote code execution if an attacker uploads a PHP shell or other executable payload. The vulnerability exists across the entire version lineage up to and including version 6.9.2, suggesting that input validation mechanisms are either absent or easily bypassed.
RemediationAI
Immediately upgrade WPJAM Basic to a version newer than 6.9.2 if available from the plugin developer (denishua). Check the official WordPress plugin repository or the developer's website for the latest patched release. Until an upgrade is available, disable the WPJAM Basic plugin entirely and remove it if not actively in use. As a defense-in-depth measure, restrict file uploads to specific safe directories with execution disabled (via .htaccess or web server configuration), limit upload file types via whitelist, and implement Web Application Firewall (WAF) rules to block suspicious file uploads. Monitor WordPress logs and file system changes for signs of unauthorized uploads. Refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/wpjam-basic/vulnerability/wordpress-wpjam-basic-plugin-6-9-2-arbitrary-file-upload-vulnerability for additional details and patch availability.
More in Wpjam Basic
View allPHP Object Injection in the WPJAM Basic WordPress plugin (denishua) affects all versions up to and including 7.0, allowi
Server-Side Request Forgery in the WPJAM Basic WordPress plugin (by denishua) affects all versions up to and including 7
Auth. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15887
GHSA-q9fv-jcvh-q4f7