Skip to main content

Whmcs Bridge

1 CVEs product

Monthly

CVE-2026-14489 HIGH This Week

Arbitrary file upload in the WHMCS Bridge plugin for WordPress (all versions through 6.9) lets authenticated users with Custom-level access or above upload files of any type via the unvalidated connect() function, potentially achieving remote code execution on the host. Reported by Wordfence and tracked as CWE-434, the flaw carries a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The impact hinges on the plugin's failure to enforce file-type checks before writing uploaded content to disk.

WordPress RCE File Upload Whmcs Bridge
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
EPSS 1% CVSS 8.8
HIGH This Week

Arbitrary file upload in the WHMCS Bridge plugin for WordPress (all versions through 6.9) lets authenticated users with Custom-level access or above upload files of any type via the unvalidated connect() function, potentially achieving remote code execution on the host. Reported by Wordfence and tracked as CWE-434, the flaw carries a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The impact hinges on the plugin's failure to enforce file-type checks before writing uploaded content to disk.

WordPress RCE File Upload +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy