Skip to main content

Malicious File Upload

web HIGH

Malicious file upload attacks exploit insufficient validation when web applications accept user-provided files.

How It Works

Malicious file upload attacks exploit insufficient validation when web applications accept user-provided files. The attacker uploads a file containing executable code—commonly a web shell written in PHP, JSP, or ASPX—disguised to bypass basic security checks. Once uploaded to a web-accessible directory, the attacker navigates to the file's URL, triggering server-side execution and gaining remote command execution capabilities.

Attackers employ various bypass techniques to defeat weak filters. Content-Type spoofing involves manipulating HTTP headers to claim a malicious PHP file is an image. Double extensions like shell.php.jpg exploit flawed parsers that only check the final extension. Null byte injection (shell.php%00.jpg) can truncate filenames in vulnerable code. Case manipulation (.pHp, .AsP) defeats case-sensitive blacklists. Advanced attacks upload .htaccess or web.config files to reconfigure the server, enabling script execution in directories where it was previously disabled.

The typical attack flow begins with reconnaissance to locate upload functionality, followed by testing various evasion techniques until a payload successfully uploads. The attacker then accesses the uploaded web shell through a browser, passing commands via URL parameters. This establishes an interactive backdoor for further exploitation, lateral movement, and data theft.

Impact

  • Remote code execution: Full command-line access to the web server with the application's privileges
  • Web shell persistence: Durable backdoor survives application restarts, enabling long-term access
  • Data exfiltration: Direct file system access allows theft of databases, credentials, source code, and sensitive documents
  • Server compromise: Ability to install additional malware, create privileged accounts, and pivot to internal networks
  • Website defacement: Modification of public-facing content to damage reputation or spread misinformation

Real-World Examples

Cisco Wireless LAN Controller (CVE-2025-20188) combined a hardcoded JWT credential with unrestricted file upload, allowing unauthenticated attackers to deploy web shells and achieve complete controller compromise. The dual vulnerability eliminated authentication barriers entirely.

WordPress plugin vulnerabilities frequently expose this attack surface. Numerous plugins have allowed arbitrary file uploads through image galleries or media managers, where attackers upload PHP shells disguised as images, then execute them to take over hosting environments.

Enterprise content management systems have suffered similar flaws where document upload features failed to validate file types properly, allowing attackers to upload executable scripts that provided administrative access to corporate intranets and sensitive business data.

Mitigation

  • Whitelist permitted extensions and validate against both filename and actual file content (magic bytes/file signatures)
  • Store uploads outside the webroot entirely, serving them through a handler script that prevents execution
  • Disable script execution in upload directories via web server configuration (remove execute permissions)
  • Rename uploaded files to random identifiers, breaking the attacker's ability to predict URLs
  • Implement content scanning with antivirus/malware detection before storing files
  • Enforce authentication and authorization on all upload endpoints with proper session management
  • Validate file size limits to prevent resource exhaustion alongside malicious uploads

Recent CVEs (4034)

EPSS 1% CVSS 9.8
CRITICAL POC Act Now

yshopmall V1.0 has an arbitrary file upload vulnerability, which can enable RCE or even take over the server when improperly configured to parse JSP files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal File Upload Yshopmall
NVD GitHub
EPSS 1% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Hive Support Hive Support hive-support allows Upload a Web Shell to a Web Server.1.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Optimal Access KBucket kbucket allows Upload a Web Shell to a Web Server.2.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in wpmonks Sage AI: Chatbots, OpenAI GPT-4 Bulk Articles, Dalle-3 Image Generation ai-content-generator allows Upload a Web Shell to a. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 54% CVSS 10.0
CRITICAL Emergency

Unrestricted file upload in softpulseinfotech Picsmize plugin (versions up to and including 1.0.0) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. CVSS 10.0 with a scope-changed vector reflects the severity, and the EPSS score of 54.26% (98th percentile) indicates elevated likelihood of exploitation attempts, though no public exploit identified at time of analysis.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in faizalbahasan kineticPay for WooCommerce kineticpay-for-woocommerce allows Upload a Web Shell to a Web Server.0.8. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload WordPress
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in bdthemes Instant Image Generator ai-image allows Upload a Web Shell to a Web Server.5.2. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in cmsMinds Boat Rental Plugin for WordPress boat-rental-system allows Upload a Web Shell to a Web Server.0.1. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload WordPress
NVD
EPSS 55% CVSS 10.0
CRITICAL Emergency

Unrestricted file upload in the Datasets Manager by Arttia Creative WordPress plugin (versions up to and including 1.5) allows remote unauthenticated attackers to upload arbitrary files of dangerous types, leading to full server compromise via webshell execution. With a maximum CVSS score of 10.0, scope-changed impact, and an EPSS score of 54.56% in the 98th percentile, this represents a critical, high-probability exploitation target. No public exploit identified at time of analysis, but the attack surface and ease of weaponization make this an urgent priority.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in DoThatTask Do That Task do-that-task allows Upload a Web Shell to a Web Server.5.5. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Team Devexhub Devexhub Gallery devexhub-gallery allows Upload a Web Shell to a Web Server.0.1. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in WebTechGlobal Easy CSV Importer BETA easy-csv-importer allows Upload a Web Shell to a Web Server.0.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 3% CVSS 8.7
HIGH POC This Week

common-user-management is a robust Spring Boot application featuring user management services designed to control user access dynamically. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Java File Upload
NVD GitHub Exploit-DB
EPSS 1% CVSS 5.1
MEDIUM POC This Month

A vulnerability has been found in SourceCodester Best Employee Management System 1.0 and classified as critical. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload +1
NVD GitHub VulDB
EPSS 1% CVSS 5.1
MEDIUM This Month

A vulnerability classified as critical has been found in EyouCMS up to 1.6.7. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass File Upload Eyoucms
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

The file upload function in the "QWKalkulation" tool of baltic-it TOPqw Webportal v1.35.287.1 (fixed in version 1.35.291), in /Apps/TOPqw/QWKalkulation/QWKalkulation.aspx, is vulnerable to Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS File Upload
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The WooCommerce Upload Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross Site Scripting vulnerability in DLink DWR 2000M 5G CPE With Wifi 6 Ax1800 and Dlink DWR 5G CPE DWR-2000M_1.34ME allows a local attacker to obtain sensitive information via the file upload. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

D-Link XSS File Upload +1
NVD GitHub
EPSS 2% CVSS 5.1
MEDIUM This Month

A vulnerability classified as problematic has been found in DedeCMS 5.7.116. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass PHP File Upload +1
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in 上海灵当信息科技有限公司 Lingdang CRM up to 8.6.4.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload +1
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Webopac from Grand Vice info does not properly validate uploaded file types, allowing unauthenticated remote attackers to upload and execute webshells, which could lead to arbitrary code execution on. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Webopac
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Webopac from Grand Vice info does not properly validate uploaded file types, allowing remote attackers with regular privileges to upload and execute webshells, which could lead to arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Webopac
NVD
EPSS 45% 4.9 CVSS 10.0
CRITICAL POC THREAT Emergency

Unrestricted file upload in Ateeq Rafeeq's RepairBuddy (computer-repair-shop) WordPress plugin versions up to and including 3.8115 allows remote unauthenticated attackers to upload arbitrary files including web shells, leading to full server compromise. Publicly available exploit code exists, and the EPSS score of 45.04% (98th percentile) indicates a high likelihood of exploitation activity. The maximum CVSS score of 10.0 reflects scope change and complete confidentiality, integrity, and availability impact.

File Upload
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Dang Ngoc Binh Audio Record audio-record allows Upload a Web Shell to a Web Server.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL POC Act Now

Unrestricted file upload in the Made I.T. Forms WordPress plugin (forms-by-made-it) through version 2.8.0 enables remote unauthenticated attackers to upload arbitrary files, including PHP web shells, leading to full server compromise. With a maximum CVSS score of 10.0 and changed scope, the issue affects all installations up to and including 2.8.0; publicly available exploit code exists, though EPSS sits at 0.75% (73rd percentile) indicating moderate observed activity rather than mass exploitation.

File Upload
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in HB WEBSOL HB AUDIO GALLERY hb-audio-gallery allows Upload a Web Shell to a Web Server.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in UjW0L Image Classify image-classify allows Upload a Web Shell to a Web Server.0.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 56% CVSS 10.0
CRITICAL Emergency

Unrestricted file upload in Joshua Wolfe's The Novel Design Store Directory plugin (versions up to and including 4.3.0) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. With a maximum CVSS of 10.0, scope change, and an EPSS of 56.19% (98th percentile), this is among the highest-risk WordPress plugin issues; no public exploit is identified at time of analysis but exploitation probability is extremely elevated. Reported by Patchstack, the flaw enables direct arbitrary code execution against any site running the affected plugin.

File Upload
NVD
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability classified as critical was found in SourceCodester Simple Music Cloud Community System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload +1
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_manage_file_chunk_upload() function in all versions up to,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The WP Membership plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the user_profile_image_upload() function in all versions up to, and including,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_manage_file_chunk_upload() function in all versions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload +1
NVD
EPSS 1% CVSS 7.2
HIGH POC This Week

File Upload vulnerability in Laravel CMS v.1.4.7 and before allows a remote attacker to execute arbitrary code via the shell.php a component. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload +1
NVD
EPSS 1% CVSS 5.1
MEDIUM POC This Month

A vulnerability classified as problematic was found in CodeAstro Real Estate Management System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload +1
NVD GitHub VulDB
EPSS 1% CVSS 5.1
MEDIUM POC This Month

A vulnerability classified as problematic has been found in CodeAstro Real Estate Management System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload +1
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability has been found in Codezips Online Institute Management System 1.0 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload +1
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in Codezips Online Institute Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload +1
NVD GitHub VulDB
EPSS 1% CVSS 2.3
LOW PATCH Monitor

Filament is a collection of full-stack components for accelerated Laravel development. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

There exists an auth bypass in Google Quickshare where an attacker can upload an unknown file type to a victim. Rated medium severity (CVSS 5.9). This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Authentication Bypass Microsoft Google +2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

The JobSearch WP Job Board plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jobsearch_location_load_excel_file_callback() function in all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The JobSearch WP Job Board plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jobsearch_wp_handle_upload() function in all versions up to, and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress File Upload +1
NVD
EPSS 8% CVSS 9.9
CRITICAL Act Now

The mFolio Lite plugin for WordPress is vulnerable to file uploads due to a missing capability check in all versions up to, and including, 1.2.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload WordPress RCE +1
NVD
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in Codezips Free Exam Hall Seating Management System 1.0.php. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Free Exam Hall Seating Management System
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability classified as critical was found in Codezips Online Institute Management System up to 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Online Institute Management System
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability classified as critical has been found in Codezips Online Institute Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Online Institute Management System
NVD GitHub VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted file upload in the RSVPMaker for Toastmasters WordPress plugin (versions through 6.2.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score reflects scope change with complete confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and EPSS remains modest at 0.89% (75th percentile).

File Upload
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Myriad Solutionz Stars SMTP Mailer stars-smtp-mailer allows Upload a Web Shell to a Web Server.2.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in rudrainn Training - Courses training allows Upload a Web Shell to a Web Server.0.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted file upload in the Stacks Mobile App Builder WordPress plugin (versions up to and including 5.2.3) permits remote unauthenticated attackers to upload arbitrary files, including web shells, to vulnerable WordPress sites. The CVSS 10.0 score with a scope-changed vector reflects full compromise potential of the underlying web server, though no public exploit has been identified at time of analysis and the EPSS score of 0.89% (75th percentile) suggests no widespread exploitation observed yet.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL POC Act Now

Unrestricted file upload in the Multi Purpose Mail Form WordPress plugin (versions through 1.0.2) by Lindeni Mahlalela allows unauthenticated remote attackers to upload arbitrary files including web shells, yielding full server compromise. CVSS is 10.0 with scope change, and publicly available exploit code exists; EPSS sits at 1.14% (78th percentile), indicating moderate but not yet widespread automated exploitation interest.

File Upload
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted file upload in the Helloprint WordPress plugin (versions through 2.0.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score reflects network-reachable, no-auth exploitation with scope change and full CIA impact, though no public exploit has been identified at time of analysis and EPSS remains modest at 1.23% (79th percentile).

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted file upload in the RainbowLink All Post Contact Form WordPress plugin (versions up to and including 1.8.2) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score with scope change (S:C) indicates the impact extends beyond the vulnerable component to the underlying WordPress host. No public exploit identified at time of analysis, and EPSS of 0.89% (75th percentile) suggests moderate but not yet widespread exploitation interest.

File Upload
NVD
EPSS 0% CVSS 3.5
LOW Monitor

Broken Access Control vulnerability in Nickolas Bossinas WordPress File Upload allows Exploiting Incorrectly Configured Access Control Security Levels.24.7. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress CSRF File Upload +1
NVD
EPSS 13% CVSS 9.8
CRITICAL Act Now

The AI Power: Complete AI Pack plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handle_image_upload' function in all versions up to, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Unrestricted file upload in /SASStudio/SASStudio/sasexec/{sessionID}/{InternalPath} in SAS Studio 9.4 allows remote attacker to upload malicious files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD GitHub
EPSS 1% CVSS 8.0
HIGH This Week

Unrestricted File Upload in the Discussions tab in Operately v.0.1.0 allows a privileged user to achieve Remote Code Execution via uploading and executing malicious files without validating file. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

icecms <=3.4.7 has a File Upload vulnerability in FileUtils.java,uploadFile. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Icecms
NVD GitHub
EPSS 1% CVSS 8.1
HIGH POC This Week

An Unrestricted File Upload vulnerability exists in Sage 1000 v7.0.0, which allows authorized users to upload files without proper validation. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Sage Frp 1000
NVD GitHub
EPSS 1% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in donimedia WP donimedia carousel wp-donimedia-carousel allows Upload a Web Shell to a Web Server.0.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 33% CVSS 10.0
CRITICAL Emergency

Unrestricted file upload in the AR For Woocommerce WordPress plugin (versions through 6.3) allows remote unauthenticated attackers to upload arbitrary files including web shells, leading to full remote code execution on the underlying web server. The vulnerability carries a maximum CVSS score of 10.0 with scope change, and an EPSS score in the 97th percentile (33.03%) indicates significantly elevated exploitation probability, though no public exploit is identified at time of analysis.

File Upload WordPress
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

The FileOrganizer - Manage WordPress and Website Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the "fileorganizer_ajax_handler" function in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE WordPress File Upload +1
NVD
EPSS 62% CVSS 10.0
CRITICAL Emergency

Unrestricted file upload in the Ajar in5 Embed WordPress plugin (versions up to and including 3.1.3) allows remote unauthenticated attackers to upload arbitrary files, including web shells, leading to full server compromise. The flaw carries a maximum CVSS score of 10.0 with scope change, and an EPSS of 61.50% (98th percentile) indicates a very high probability of near-term exploitation, though no public exploit or KEV listing was identified at time of analysis.

File Upload
NVD VulDB
EPSS 70% 4.1 CVSS 9.9
CRITICAL Emergency

Unrestricted file upload in SurveyJS versions up to and including 1.9.136 allows authenticated remote attackers to upload files of dangerous types, enabling code execution or content takeover with scope change to other components. EPSS scores this at the 99th percentile (69.65%) indicating very high exploitation probability, though no public exploit identified at time of analysis and not listed in CISA KEV.

File Upload
NVD VulDB
EPSS 2% CVSS 10.0
CRITICAL Act Now

Unauthenticated remote code execution in aDirectory plugin versions up to and including 1.3 allows attackers to upload arbitrary files (web shells) to the web server with no authentication or user interaction required. The CVSS 10.0 score with scope-changed impact indicates full compromise potential, and while no public exploit is identified at time of analysis, the EPSS score of 1.67% (82nd percentile) signals elevated exploitation interest relative to the broader CVE population.

File Upload
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted file upload in the Sudan Payment Gateway for WooCommerce WordPress plugin (versions up to and including 1.2.2) allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the underlying web server. With a CVSS 10.0 score reflecting network attack vector, no privileges, and changed scope, exploitation yields full server compromise; no public exploit identified at time of analysis, though EPSS places it at the 77th percentile indicating moderate predicted exploitation likelihood.

File Upload WordPress
NVD VulDB
EPSS 56% CVSS 10.0
CRITICAL Emergency

Unrestricted file upload in the masterhomepage Automatic Translation WordPress plugin (versions through 1.0.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The flaw carries a maximum CVSS 10.0 due to its network-reachable, no-interaction nature with scope change, and EPSS rates exploitation probability at 55.5% (98th percentile), indicating substantial likelihood of attack despite no public exploit identified at time of analysis.

File Upload
NVD VulDB
EPSS 2% CVSS 10.0
CRITICAL Act Now

Unrestricted file upload in Lindeni Mahlalela's Multi Purpose Mail Form WordPress plugin (versions up to and including 1.0.2) allows remote unauthenticated attackers to upload web shells and achieve remote code execution on the underlying web server. The CVSS 10.0 score reflects the worst-case scenario: network reachable, no authentication, no user interaction, and scope-changed impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though EPSS places this in the 82nd percentile, indicating above-average exploitation likelihood relative to other CVEs.

File Upload
NVD VulDB
EPSS 56% CVSS 10.0
CRITICAL Emergency

Unrestricted file upload in the Chetan Khandla 'Woocommerce Product Design' WordPress plugin (versions up to and including 1.0.0) allows remote unauthenticated attackers to upload arbitrary files, including web shells, achieving full server compromise. The flaw carries a maximum CVSS score of 10.0 with scope change, and EPSS places it in the 98th percentile (55.5% probability of exploitation), though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

File Upload WordPress
NVD VulDB
EPSS 1% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in azexo Marketing Automation by AZEXO marketing-automation-by-azexo allows Upload a Web Shell to a Web Server.27.80. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unauthenticated arbitrary file upload in the AR For WordPress plugin (versions up to and including 6.6) allows remote attackers to upload web shells and achieve full site compromise. With a maximum CVSS score of 10.0 and CWE-434 (Unrestricted Upload of File with Dangerous Type), the flaw is critical, though no public exploit identified at time of analysis and EPSS sits at 1.31% (80th percentile) indicating moderate predicted exploitation activity. Reported via Patchstack, the issue affects all known versions of the plugin from webandprint.

File Upload WordPress
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted file upload in the Plugin Propagator WordPress plugin (versions up to and including 0.1) by nunomorgadinho allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the web server. With a CVSS of 10.0 and a changed scope, successful exploitation results in full compromise of the underlying WordPress site and potentially adjacent systems. No public exploit identified at time of analysis, though the 1.31% EPSS score (80th percentile) indicates above-average attacker interest relative to the broader CVE population.

File Upload
NVD VulDB
EPSS 3% CVSS 8.8
HIGH POC Act Now

File Upload vulnerability in Prison Management System v.1.0 allows a remote attacker to execute arbitrary code via the file upload component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Prison Management System
NVD GitHub
EPSS 99% CVSS 9.8
CRITICAL POC KEV THREAT Act Now

In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Harmony +2
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability classified as critical has been found in SourceCodester Attendance and Payroll System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Attendance And Payroll System
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM This Month

A vulnerability, which was classified as critical, has been found in SourceCodester Online Hotel Reservation System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Online Hotel Reservation System
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was found in Poco-z Guns-Medical 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS File Upload Guns Medial
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability classified as critical was found in SourceCodester Online Hotel Reservation System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Online Hotel Reservation System
NVD GitHub VulDB
EPSS 36% CVSS 9.8
CRITICAL POC THREAT Act Now

The Wux Blog Editor plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'wuxbt_insertImageNew' function in versions up to, and including,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE WordPress File Upload
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into chat group. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF RCE File Upload
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

An arbitrary file upload vulnerability in MangoOS before 5.1.4 and Mango API before 4.5.5 allows attackers to execute arbitrary code via a crafted file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Path Traversal File Upload +2
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into the tracker comments page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS File Upload
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

File Upload vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the admin_class.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +2
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

The File Upload Types by WPForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4.0 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS File Upload
NVD
EPSS 0% CVSS 8.8
HIGH This Week

An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

File Upload Mt6000 Firmware Mt3000 Firmware +19
NVD GitHub
EPSS 1% CVSS 7.2
HIGH This Week

An issue in SourceCodester Purchase Order Management System v1.0 allows a remote attacker to execute arbitrary code via the /admin?page=user component. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Purchase Order Management System
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM This Month

Unrestricted Upload of File with Dangerous Type vulnerability in Michael Bourne Custom Icons for Elementor custom-icons-for-elementor allows Upload a Web Shell to a Web Server.3.3. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Dogu Pekgoz AI Image Generator for Your Content & Featured Images - AI Postpix ai-postpix allows Upload a Web Shell to a Web. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Alexander De Ridder INK Official ink-official allows Upload a Web Shell to a Web Server.1.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
EPSS 59% CVSS 10.0
CRITICAL Emergency

Remote code execution in the Verbalize WP WordPress plugin (versions through 1.0) allows unauthenticated attackers to upload arbitrary files, including web shells, to the target web server. With a maximum CVSS score of 10.0 and an EPSS probability of 58.95% (98th percentile), this represents a critical, easily exploitable flaw, though no public exploit was identified at time of analysis and the CVE is not currently listed in CISA KEV.

File Upload
NVD VulDB
EPSS 1% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in ecomerciar Woocommerce Custom Profile Picture woo-custom-profile-picture allows Upload a Web Shell to a Web Server.0. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload WordPress
NVD VulDB
Prev Page 17 of 45 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
4034

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy