Skip to main content

Easy Upload Files During Checkout

1 CVEs product

Monthly

CVE-2026-6802 MEDIUM This Month

Unauthenticated media library attachment deletion affects the Easy Upload Files During Checkout WordPress plugin through version 3.0.1, enabling any remote visitor to permanently destroy arbitrary files from the site's media library with no credentials. The root cause is CWE-639: the ufdc_custom_init() hook processes a user-controlled 'eufdc-delete' parameter without nonce verification, capability checks, or attachment ownership validation, reducing authorization to a trivial parameter-guessing exercise against sequential WordPress attachment IDs. No public exploit code or CISA KEV listing has been identified, but the attack requires zero prerequisites beyond plugin presence, making it trivially reproducible.

Authentication Bypass WordPress Easy Upload Files During Checkout
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated media library attachment deletion affects the Easy Upload Files During Checkout WordPress plugin through version 3.0.1, enabling any remote visitor to permanently destroy arbitrary files from the site's media library with no credentials. The root cause is CWE-639: the ufdc_custom_init() hook processes a user-controlled 'eufdc-delete' parameter without nonce verification, capability checks, or attachment ownership validation, reducing authorization to a trivial parameter-guessing exercise against sequential WordPress attachment IDs. No public exploit code or CISA KEV listing has been identified, but the attack requires zero prerequisites beyond plugin presence, making it trivially reproducible.

Authentication Bypass WordPress Easy Upload Files During Checkout
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy