Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable upload endpoint needing only a low-privileged account (PR:L), no interaction, and unrestricted upload yielding code execution that escapes the app scope (S:C) with full C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in quantumcloud WoowBot Pro Max woowbot-pro-max allows Using Malicious Files.This issue affects WoowBot Pro Max: from n/a through <= 14.1.7.
AnalysisAI
Arbitrary file upload in the WoowBot Pro Max WordPress plugin (quantumcloud) through version 14.1.7 allows an authenticated attacker to upload files of dangerous types, leading to remote code execution on the underlying WordPress host. The scope-change CVSS 9.9 reflects that a low-privileged account can pivot to full server compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session on the target WordPress site - the CVSS PR:L metric confirms a low-privileged account is needed rather than fully anonymous access - plus the WoowBot Pro Max plugin (version ≤ 14.1.7) being installed and active with its file-upload feature reachable by that account. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine high-priority issue rather than an inflated CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a low-privileged WordPress account, then sends a crafted request to the WoowBot Pro Max upload handler carrying a PHP web shell disguised as an allowed file type. Because the plugin does not validate the file type, the shell is written to a web-accessible path and the attacker requests it directly to execute arbitrary commands, achieving full server compromise. … |
| Remediation | No vendor-released patched version is identified in the provided data (fix listed as n/a), so upgrade to a fixed release once quantumcloud publishes one - track the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woowbot-pro-max/vulnerability/wordpress-woowbot-pro-max-plugin-14-1-7-arbitrary-file-upload-vulnerability for the fixed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit and inventory all WordPress installations using WoowBot Pro Max plugin version 14.1.7 or earlier; immediately deactivate and remove the plugin from all affected systems to eliminate the attack surface. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43365