Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Unauthenticated network-reachable upload endpoint (AV:N/AC:L/PR:N/UI:N); PHP write under WordPress yields RCE escaping the plugin sandbox to the host (S:C, C:H/I:H/A:H).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
AnalysisAI
Unauthenticated arbitrary file upload in the GeekyBot WordPress plugin (versions 1.2.2 and earlier) allows remote attackers to upload arbitrary files, including PHP webshells, to the web server without any authentication. Reported by Patchstack and tracked as EUVD-2026-36981, this issue carries a maximum 10.0 CVSS due to network-reachable exploitation with no privileges, no user interaction, and a scope change leading to full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the CWE-434 class is heavily targeted on WordPress plugins and routinely leads to full site compromise once disclosed.
Technical ContextAI
GeekyBot is a third-party WordPress plugin (CPE cpe:2.3:a:ahmad:geekybot) that, like many WP plugins, exposes server-side endpoints via the admin-ajax.php or REST routes. CWE-434 (Unrestricted Upload of File with Dangerous Type) indicates the plugin's upload handler fails to validate file extension, MIME type, or content before writing user-supplied data into a web-accessible directory. In the WordPress ecosystem this almost always translates to writing a .php file under wp-content/uploads/ (or a plugin-specific folder) which is then directly executable by the PHP-FPM/Apache handler, turning the file write into arbitrary remote code execution under the web server user (www-data/apache).
RemediationAI
No vendor-released patch identified at time of analysis - the Patchstack advisory references versions ≤1.2.2 as vulnerable without naming a fixed release, so administrators should monitor the Patchstack entry (https://patchstack.com/database/wordpress/plugin/geeky-bot/vulnerability/wordpress-geekybot-plugin-1-2-2-arbitrary-file-upload-vulnerability) and the WordPress.org plugin page for a 1.2.3+ release and upgrade immediately when available. Until a fix ships, the safest control is to deactivate and remove the GeekyBot plugin entirely (trade-off: loss of plugin functionality); if removal is not possible, deploy a WAF rule (Patchstack, Wordfence, or equivalent virtual patch) blocking uploads to the plugin's endpoint, restrict access to wp-admin/admin-ajax.php and any GeekyBot REST routes by IP, and add a webserver rule denying PHP execution under wp-content/uploads/ (e.g., an Apache <Directory> handler override or nginx location block) - note this last control can break legitimate plugins that rely on executing PHP from the uploads tree.
Unauthenticated SQL injection in the GeekyBot WordPress plugin versions 1.2.0 and earlier allows remote attackers to inj
SQL injection in the GeekyBot WordPress plugin (versions 1.2.5 and earlier) allows unauthenticated remote attackers to i
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36981
GHSA-jcp9-7cp3-7w4x