Skip to main content

GeekyBot CVE-2026-40772

| EUVDEUVD-2026-36981 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-15 Patchstack GHSA-jcp9-7cp3-7w4x
10.0
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

Unauthenticated network-reachable upload endpoint (AV:N/AC:L/PR:N/UI:N); PHP write under WordPress yields RCE escaping the plugin sandbox to the host (S:C, C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:10 vuln.today

DescriptionCVE.org

Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.

AnalysisAI

Unauthenticated arbitrary file upload in the GeekyBot WordPress plugin (versions 1.2.2 and earlier) allows remote attackers to upload arbitrary files, including PHP webshells, to the web server without any authentication. Reported by Patchstack and tracked as EUVD-2026-36981, this issue carries a maximum 10.0 CVSS due to network-reachable exploitation with no privileges, no user interaction, and a scope change leading to full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the CWE-434 class is heavily targeted on WordPress plugins and routinely leads to full site compromise once disclosed.

Technical ContextAI

GeekyBot is a third-party WordPress plugin (CPE cpe:2.3:a:ahmad:geekybot) that, like many WP plugins, exposes server-side endpoints via the admin-ajax.php or REST routes. CWE-434 (Unrestricted Upload of File with Dangerous Type) indicates the plugin's upload handler fails to validate file extension, MIME type, or content before writing user-supplied data into a web-accessible directory. In the WordPress ecosystem this almost always translates to writing a .php file under wp-content/uploads/ (or a plugin-specific folder) which is then directly executable by the PHP-FPM/Apache handler, turning the file write into arbitrary remote code execution under the web server user (www-data/apache).

RemediationAI

No vendor-released patch identified at time of analysis - the Patchstack advisory references versions ≤1.2.2 as vulnerable without naming a fixed release, so administrators should monitor the Patchstack entry (https://patchstack.com/database/wordpress/plugin/geeky-bot/vulnerability/wordpress-geekybot-plugin-1-2-2-arbitrary-file-upload-vulnerability) and the WordPress.org plugin page for a 1.2.3+ release and upgrade immediately when available. Until a fix ships, the safest control is to deactivate and remove the GeekyBot plugin entirely (trade-off: loss of plugin functionality); if removal is not possible, deploy a WAF rule (Patchstack, Wordfence, or equivalent virtual patch) blocking uploads to the plugin's endpoint, restrict access to wp-admin/admin-ajax.php and any GeekyBot REST routes by IP, and add a webserver rule denying PHP execution under wp-content/uploads/ (e.g., an Apache <Directory> handler override or nginx location block) - note this last control can break legitimate plugins that rely on executing PHP from the uploads tree.

Share

CVE-2026-40772 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy