Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in halfdata Green Downloads halfdata-paypal-green-downloads allows Using Malicious Files.This issue affects Green Downloads: from n/a through <= 2.08.
AnalysisAI
The halfdata Green Downloads plugin for WordPress contains an unrestricted file upload vulnerability (CWE-434) that permits attackers to upload malicious files to affected systems. This vulnerability affects Green Downloads versions up to and including 2.08, as confirmed by Patchstack and ENISA. An unauthenticated or low-privileged attacker can exploit this to upload dangerous file types, potentially leading to remote code execution, website defacement, or malware distribution.
Technical ContextAI
The vulnerability exists in the halfdata Green Downloads WordPress plugin (CPE: cpe:2.3:a:halfdata:green_downloads:*:*:*:*:*:*:*:*), which is designed to facilitate PayPal-based downloads. The root cause is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating that the plugin fails to properly validate and restrict the file types that users can upload. This is a classic file upload validation flaw where the application does not enforce whitelist-based file type restrictions, MIME type validation, or storage isolation. Attackers can bypass file type checks by uploading executable files (PHP, ASP, JSP) or other dangerous content that the web server may process, leading to arbitrary code execution within the WordPress environment.
RemediationAI
Immediately upgrade the halfdata Green Downloads plugin to version 2.09 or later if available; consult the official Patchstack advisory and the halfdata project repository for the latest patched version. If an upgrade is not immediately available, deactivate and remove the plugin until a security patch is released. As an interim mitigation, restrict file upload permissions at the WordPress level by using security plugins to disable file uploads in the vulnerable plugin, implement Web Application Firewall (WAF) rules to block requests with suspicious file extensions (PHP, EXE, COM, etc.) sent to the plugin's upload endpoints, and monitor WordPress upload directories for unauthorized files. Additionally, configure the web server to prevent execution of scripts in the uploads directory by adding appropriate directives (e.g., disable PHP execution in wp-content/uploads). Monitor the Patchstack database and WordPress plugin repository for official patch notifications.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15910
GHSA-8vcc-333p-5pmv