Skip to main content

WPify Woo Czech CVE-2026-42748

| EUVDEUVD-2026-32197 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-05-27 audit@patchstack.com GHSA-gq59-p4pm-pvrc
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 19:47 vuln.today

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo Czech wpify-woo allows Upload a Web Shell to a Web Server.This issue affects WPify Woo Czech: from n/a through <= 5.4.1.

AnalysisAI

Arbitrary file upload in the WPify Woo Czech WordPress/WooCommerce plugin (versions through 5.4.1) lets a low-privileged authenticated user upload a dangerous file type - i.e., a PHP web shell - to the web server, leading to remote code execution. The CVSS 3.1 vector (PR:L, S:C, C:H/I:H/A:H) reflects a scope-changing critical-severity flaw scored 9.9 that compromises the entire host once exploited. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS score is very low (0.04%, 13th percentile), indicating little observed exploitation pressure despite the high CVSS.

Technical ContextAI

WPify Woo Czech is a WordPress plugin that adds Czech-market localization and integrations (payment, shipping, invoicing) to WooCommerce stores. The root cause is CWE-434, Unrestricted Upload of File with Dangerous Type: an upload handler in the plugin fails to adequately validate the type, extension, or content of uploaded files, permitting an executable PHP file to be written into a web-accessible location. Because WordPress serves files from the host PHP runtime, an uploaded script can be requested and executed directly, turning a file-write primitive into code execution. The Changed scope (S:C) in the CVSS vector indicates impact extends beyond the plugin's own security boundary to the underlying web server and other hosted components. No CPE 2.3 string is provided; the EUVD record identifies the affected component only as 'WPify Woo Czech 0 ≤5.4.1.'

RemediationAI

No vendor-released patch version is identified in the available data, so the immediate action is to consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wpify-woo/vulnerability/wordpress-wpify-woo-czech-plugin-5-4-1-arbitrary-file-upload-vulnerability?_s_id=cve) and the WPify vendor channel for a release newer than 5.4.1, then upgrade to it as the primary fix. Until a fixed version is confirmed, apply compensating controls: deploy a virtual patch / WAF rule (e.g., Patchstack) to block malicious uploads to the plugin; disable PHP execution in the WordPress uploads directory (for example via a directory-level handler restriction) so an uploaded script cannot run, accepting that this may break legitimate features relying on dynamic files in that path; and tighten account hygiene by disabling open user registration and auditing/minimizing low-privilege accounts and roles with upload capability, since the flaw needs an authenticated session (PR:L). Monitor the uploads directory and web logs for unexpected PHP files and requests to them.

Share

CVE-2026-42748 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy