Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through <= 6.4.9.
AnalysisAI
An unrestricted file upload vulnerability (CWE-434) exists in Jordy Meow's Photo Engine WordPress plugin versions up to and including 6.4.9, allowing attackers to upload malicious web shells to compromised servers. The vulnerability affects the wplr-sync component and permits arbitrary file uploads with dangerous types, potentially leading to remote code execution. No CVSS score, EPSS probability, or KEV status information is currently available, but the ability to upload executable web shells represents a critical exploitation path.
Technical ContextAI
The vulnerability resides in the Photo Engine WordPress plugin (CPE: cpe:2.3:a:jordy_meow:photo_engine:*:*:*:*:*:*:*:*) specifically within the wplr-sync upload handler component. The root cause is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), a fundamental file upload validation failure where the application fails to properly validate, sanitize, or restrict the type of files users can upload. The plugin accepts file uploads without adequate checks on file extension, MIME type, or content inspection, allowing attackers to bypass intended restrictions and place executable files (PHP shells, etc.) into web-accessible directories. This is a common vulnerability class in WordPress plugins where custom upload handlers are implemented without proper security controls.
RemediationAI
Immediately upgrade Jordy Meow Photo Engine to a version newer than 6.4.9; contact the vendor (Patchstack maintains this plugin data) for the latest patched release. Until a patch is available, disable the wplr-sync upload functionality entirely via plugin configuration or remove the plugin if not essential. Implement file upload restrictions at the web server level using Apache/Nginx rules to block execution of scripts in upload directories (e.g., adding .htaccess or nginx location blocks to deny PHP execution in wp-content/uploads). Additionally, apply strict file type validation at the web application firewall or reverse proxy, restrict plugin upload capabilities to authenticated users only if available, and monitor upload directories for suspicious file creations using SIEM or file integrity monitoring tools. For comprehensive protection, review other custom WordPress plugins for similar CWE-434 issues.
More in Photo Engine
View allMissing Authorization vulnerability in Jordy Meow Photo Engine allows Exploiting Incorrectly Configured Access Control S
Authorization Bypass Through User-Controlled Key vulnerability in Jordy Meow Photo Engine (Media Organizer & Lightroom).
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15888
GHSA-v47h-99v4-c43h