Skip to main content

OMGF Pro EUVDEUVD-2026-39538

| CVE-2026-57700 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-25 Patchstack GHSA-qxx8-x6c8-jhvr
10.0
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Network-reachable upload with no auth/interaction per source vector; webshell yields full triad impact, but I scope it Unchanged (S:U) as compromise stays within the WordPress/server security authority rather than crossing to a distinct system.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 18:50 vuln.today

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files.

This issue affects OMGF Pro: from n/a through 5.2.6.

AnalysisAI

Arbitrary file upload in Daan.Dev's OMGF Pro WordPress plugin (versions through 5.2.6) lets remote attackers upload files of dangerous types, enabling webshell deployment and full site/server takeover. The CVSS 3.1 base score is 10.0 with a scope-changed vector, and the vector's PR:N indicates the flaw is reachable without authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running OMGF Pro ≤5.2.6
Delivery
Send crafted upload request to import endpoint
Exploit
Bypass missing file-type validation (CWE-434)
Execution
Write PHP webshell to web-accessible dir
Persist
Request uploaded file to execute code
Impact
Full site and server compromise

Vulnerability AssessmentAI

Exploitation The vulnerable feature is OMGF Pro's file-upload/font-import handling in versions up to 5.2.6; an attacker must reach the plugin's upload endpoint over HTTP and supply a dangerous-type file the handler accepts and writes to a web-served path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals here are mixed in maturity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted HTTP request to the plugin's upload/import endpoint, submitting a PHP webshell disguised as a font or asset file. Because the handler does not validate type, the file lands in a web-accessible directory; the attacker then requests it directly to execute arbitrary code and gain control of the WordPress site and underlying server. …
Remediation Upgrade OMGF Pro to a release later than 5.2.6 - the record bounds the vulnerable range at 5.2.6, but no exact fixed version number is provided in the input, so confirm the patched build via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/host-google-fonts-pro/vulnerability/wordpress-omgf-pro-plugin-5-2-6-arbitrary-file-upload-vulnerability) and the Daan.Dev account/update channel before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all WordPress installations using OMGF Pro versions through 5.2.6 and disable or remove the plugin immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39538 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy