Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable upload needing an Author account gives PR:L and AV:N; the substring bypass is trivially low-complexity (AC:L), and RCE yields full C:H/I:H/A:H; the required non-default feature is a deployment condition rather than an AC increase.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type validation bypass in the upload_extension_files() function in all versions up to, and including, 1.4.6. The upload_extension_files() function hooks into WordPress's wp_check_filetype_and_ext filter and uses strpos() to check if a filename contains a configured extension string, rather than verifying the actual file extension. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files (including PHP) on the affected site's server which may make remote code execution possible, granted the "Enhanced Multi-Format Image Support" feature is enabled with at least one extension (e.g., avif) in the allowed formats.
Articles & Coverage 1
AnalysisAI
Arbitrary file upload in the Swiss Toolkit For WP WordPress plugin (versions ≤ 1.4.6) lets authenticated Author-level (and higher) users bypass file-type validation and upload executable PHP, potentially achieving remote code execution on the host. The flaw stems from the upload_extension_files() function using a substring match instead of a real extension check when the optional 'Enhanced Multi-Format Image Support' feature is enabled. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account with Author-level privileges or higher (per CVSS PR:L), AND the plugin's optional 'Enhanced Multi-Format Image Support' feature must be enabled with at least one extension (e.g. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 8.8) reflects network-reachable exploitation with low complexity, low privileges, no user interaction, and full CIA impact - consistent with file-upload-to-RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been granted an Author-level WordPress account on a site running Swiss Toolkit For WP ≤ 1.4.6 with the multi-format image feature enabled uploads a file named to embed an allowed substring while carrying PHP content (e.g. 'evil_avif.php'). … |
| Remediation | No vendor-released fix version is confirmed in the available data; because the flaw affects all versions through 1.4.6, upgrade to the next release above 1.4.6 once the vendor publishes it and verify the fix against the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/06bccd2e-6891-433a-9f5b-3ec0c30afef4?source=cve) - do not assume a specific patched version number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress instances running Swiss Toolkit For WP ≤1.4.6 via plugin scan; disable the plugin immediately and audit which user accounts hold Author role or higher. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43133
GHSA-xq2v-8qf4-3rg6