Skip to main content

Syarif Mobile App Editor EUVDEUVD-2026-13087

| CVE-2026-27067 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-03-19 audit@patchstack.com
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 16:12 vuln.today
cvss_changed
EUVD ID Assigned
Mar 19, 2026 - 09:22 euvd
EUVD-2026-13087
Analysis Generated
Mar 19, 2026 - 09:22 vuln.today
CVE Published
Mar 19, 2026 - 09:16 nvd
CRITICAL 9.1

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor allows Upload a Web Shell to a Web Server.This issue affects Mobile App Editor: from n/a through 1.3.1.

AnalysisAI

The Mobile App Editor WordPress plugin contains an unrestricted file upload vulnerability that allows authenticated administrators to upload malicious web shells to the web server. This affects all versions through 1.3.1 and carries a critical CVSS score of 9.1 due to the potential for complete system compromise with changed scope. While requiring high privileges (administrator access), successful exploitation enables full server control including data theft, integrity compromise, and service disruption.

Technical ContextAI

This vulnerability stems from CWE-434 (Unrestricted Upload of File with Dangerous Type), a common web application flaw where user-supplied files are not properly validated before being written to the server filesystem. The Mobile App Editor WordPress plugin fails to implement adequate file type validation, extension filtering, or content inspection on uploaded files. This allows attackers with administrative access to bypass intended restrictions and upload PHP web shells or other executable code that can then be accessed directly through the web server, granting arbitrary command execution capabilities. The vulnerability exists in the plugin's file handling routines where user-controlled data determines file content and location without sufficient security controls.

RemediationAI

WordPress administrators should immediately update the Mobile App Editor plugin to a version newer than 1.3.1 if a patched version is available. Check the official WordPress plugin repository or contact the plugin vendor Syarif for the latest secure release. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/mobile-app-editor/vulnerability/wordpress-mobile-app-editor-plugin-1-3-1-arbitrary-file-upload-vulnerability for specific patch information and updated version numbers. If no patch is available or immediate updating is not feasible, disable and remove the Mobile App Editor plugin entirely until a fix is released. Additionally, implement defense-in-depth measures including restricting WordPress administrative access to trusted IP addresses, enforcing multi-factor authentication for all admin accounts, regularly auditing uploaded files for suspicious content, and implementing web application firewall rules to detect and block web shell upload attempts.

Share

EUVD-2026-13087 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy