Skip to main content

Swiss Toolkit For Wp

1 CVEs product

Monthly

CVE-2026-2354 HIGH This Week

Arbitrary file upload in the Swiss Toolkit For WP WordPress plugin (versions ≤ 1.4.6) lets authenticated Author-level (and higher) users bypass file-type validation and upload executable PHP, potentially achieving remote code execution on the host. The flaw stems from the upload_extension_files() function using a substring match instead of a real extension check when the optional 'Enhanced Multi-Format Image Support' feature is enabled. Reported by Wordfence with a CVSS of 8.8; no public exploit identified at time of analysis.

WordPress RCE File Upload Swiss Toolkit For Wp
NVD
CVSS 3.1
8.8
EPSS
0.3%
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary file upload in the Swiss Toolkit For WP WordPress plugin (versions ≤ 1.4.6) lets authenticated Author-level (and higher) users bypass file-type validation and upload executable PHP, potentially achieving remote code execution on the host. The flaw stems from the upload_extension_files() function using a substring match instead of a real extension check when the optional 'Enhanced Multi-Format Image Support' feature is enabled. Reported by Wordfence with a CVSS of 8.8; no public exploit identified at time of analysis.

WordPress RCE File Upload +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy