Skip to main content

Green Downloads CVE-2026-32536

| EUVDEUVD-2026-15910 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-03-25 Patchstack GHSA-8vcc-333p-5pmv
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15910
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
CRITICAL 9.9

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in halfdata Green Downloads halfdata-paypal-green-downloads allows Using Malicious Files.This issue affects Green Downloads: from n/a through <= 2.08.

AnalysisAI

The halfdata Green Downloads plugin for WordPress contains an unrestricted file upload vulnerability (CWE-434) that permits attackers to upload malicious files to affected systems. This vulnerability affects Green Downloads versions up to and including 2.08, as confirmed by Patchstack and ENISA. An unauthenticated or low-privileged attacker can exploit this to upload dangerous file types, potentially leading to remote code execution, website defacement, or malware distribution.

Technical ContextAI

The vulnerability exists in the halfdata Green Downloads WordPress plugin (CPE: cpe:2.3:a:halfdata:green_downloads:*:*:*:*:*:*:*:*), which is designed to facilitate PayPal-based downloads. The root cause is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating that the plugin fails to properly validate and restrict the file types that users can upload. This is a classic file upload validation flaw where the application does not enforce whitelist-based file type restrictions, MIME type validation, or storage isolation. Attackers can bypass file type checks by uploading executable files (PHP, ASP, JSP) or other dangerous content that the web server may process, leading to arbitrary code execution within the WordPress environment.

RemediationAI

Immediately upgrade the halfdata Green Downloads plugin to version 2.09 or later if available; consult the official Patchstack advisory and the halfdata project repository for the latest patched version. If an upgrade is not immediately available, deactivate and remove the plugin until a security patch is released. As an interim mitigation, restrict file upload permissions at the WordPress level by using security plugins to disable file uploads in the vulnerable plugin, implement Web Application Firewall (WAF) rules to block requests with suspicious file extensions (PHP, EXE, COM, etc.) sent to the plugin's upload endpoints, and monitor WordPress upload directories for unauthorized files. Additionally, configure the web server to prevent execution of scripts in the uploads directory by adding appropriate directives (e.g., disable PHP execution in wp-content/uploads). Monitor the Patchstack database and WordPress plugin repository for official patch notifications.

Share

CVE-2026-32536 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy