Skip to main content

Photo Engine EUVDEUVD-2026-15888

| CVE-2026-32524 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-03-25 Patchstack GHSA-v47h-99v4-c43h
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15888
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
CRITICAL 9.1

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through <= 6.4.9.

AnalysisAI

An unrestricted file upload vulnerability (CWE-434) exists in Jordy Meow's Photo Engine WordPress plugin versions up to and including 6.4.9, allowing attackers to upload malicious web shells to compromised servers. The vulnerability affects the wplr-sync component and permits arbitrary file uploads with dangerous types, potentially leading to remote code execution. No CVSS score, EPSS probability, or KEV status information is currently available, but the ability to upload executable web shells represents a critical exploitation path.

Technical ContextAI

The vulnerability resides in the Photo Engine WordPress plugin (CPE: cpe:2.3:a:jordy_meow:photo_engine:*:*:*:*:*:*:*:*) specifically within the wplr-sync upload handler component. The root cause is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), a fundamental file upload validation failure where the application fails to properly validate, sanitize, or restrict the type of files users can upload. The plugin accepts file uploads without adequate checks on file extension, MIME type, or content inspection, allowing attackers to bypass intended restrictions and place executable files (PHP shells, etc.) into web-accessible directories. This is a common vulnerability class in WordPress plugins where custom upload handlers are implemented without proper security controls.

RemediationAI

Immediately upgrade Jordy Meow Photo Engine to a version newer than 6.4.9; contact the vendor (Patchstack maintains this plugin data) for the latest patched release. Until a patch is available, disable the wplr-sync upload functionality entirely via plugin configuration or remove the plugin if not essential. Implement file upload restrictions at the web server level using Apache/Nginx rules to block execution of scripts in upload directories (e.g., adding .htaccess or nginx location blocks to deny PHP execution in wp-content/uploads). Additionally, apply strict file type validation at the web application firewall or reverse proxy, restrict plugin upload capabilities to authenticated users only if available, and monitor upload directories for suspicious file creations using SIEM or file integrity monitoring tools. For comprehensive protection, review other custom WordPress plugins for similar CWE-434 issues.

Share

EUVD-2026-15888 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy