Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Network-reachable upload with no auth/interaction per source vector; webshell yields full triad impact, but I scope it Unchanged (S:U) as compromise stays within the WordPress/server security authority rather than crossing to a distinct system.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files.
This issue affects OMGF Pro: from n/a through 5.2.6.
AnalysisAI
Arbitrary file upload in Daan.Dev's OMGF Pro WordPress plugin (versions through 5.2.6) lets remote attackers upload files of dangerous types, enabling webshell deployment and full site/server takeover. The CVSS 3.1 base score is 10.0 with a scope-changed vector, and the vector's PR:N indicates the flaw is reachable without authentication. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerable feature is OMGF Pro's file-upload/font-import handling in versions up to 5.2.6; an attacker must reach the plugin's upload endpoint over HTTP and supply a dangerous-type file the handler accepts and writes to a web-served path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals here are mixed in maturity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a crafted HTTP request to the plugin's upload/import endpoint, submitting a PHP webshell disguised as a font or asset file. Because the handler does not validate type, the file lands in a web-accessible directory; the attacker then requests it directly to execute arbitrary code and gain control of the WordPress site and underlying server. … |
| Remediation | Upgrade OMGF Pro to a release later than 5.2.6 - the record bounds the vulnerable range at 5.2.6, but no exact fixed version number is provided in the input, so confirm the patched build via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/host-google-fonts-pro/vulnerability/wordpress-omgf-pro-plugin-5-2-6-arbitrary-file-upload-vulnerability) and the Daan.Dev account/update channel before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all WordPress installations using OMGF Pro versions through 5.2.6 and disable or remove the plugin immediately. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39538
GHSA-qxx8-x6c8-jhvr