Skip to main content

WoowBot Pro Max CVE-2026-57710

| EUVDEUVD-2026-43365 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-07-13 Patchstack
9.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable upload endpoint needing only a low-privileged account (PR:L), no interaction, and unrestricted upload yielding code execution that escapes the app scope (S:C) with full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:48 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
CRITICAL 9.9

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in quantumcloud WoowBot Pro Max woowbot-pro-max allows Using Malicious Files.This issue affects WoowBot Pro Max: from n/a through <= 14.1.7.

AnalysisAI

Arbitrary file upload in the WoowBot Pro Max WordPress plugin (quantumcloud) through version 14.1.7 allows an authenticated attacker to upload files of dangerous types, leading to remote code execution on the underlying WordPress host. The scope-change CVSS 9.9 reflects that a low-privileged account can pivot to full server compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged WordPress account
Delivery
Reach WoowBot upload endpoint
Exploit
Upload PHP payload as dangerous file type
Execution
Request uploaded shell over HTTP
Impact
Execute arbitrary code, compromise server

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session on the target WordPress site - the CVSS PR:L metric confirms a low-privileged account is needed rather than fully anonymous access - plus the WoowBot Pro Max plugin (version ≤ 14.1.7) being installed and active with its file-upload feature reachable by that account. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high-priority issue rather than an inflated CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a low-privileged WordPress account, then sends a crafted request to the WoowBot Pro Max upload handler carrying a PHP web shell disguised as an allowed file type. Because the plugin does not validate the file type, the shell is written to a web-accessible path and the attacker requests it directly to execute arbitrary commands, achieving full server compromise. …
Remediation No vendor-released patched version is identified in the provided data (fix listed as n/a), so upgrade to a fixed release once quantumcloud publishes one - track the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woowbot-pro-max/vulnerability/wordpress-woowbot-pro-max-plugin-14-1-7-arbitrary-file-upload-vulnerability for the fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit and inventory all WordPress installations using WoowBot Pro Max plugin version 14.1.7 or earlier; immediately deactivate and remove the plugin from all affected systems to eliminate the attack surface. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57710 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy