Cross-site request forgery (CSRF) vulnerability in the WordPress File Upload plugin (wp-file-upload) before 2.4.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors. NOTE: some of these details are ob...
7.4AI Score
0.001EPSS
The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks
5.4CVSS
5.3AI Score
0.001EPSS
The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks
5.4CVSS
5.2AI Score
0.001EPSS
The WordPress File Upload Free and Pro WordPress plugins before 4.16.3 allow users with a role as low as Contributor to perform path traversal via a shortcode argument, which can then be used to upload a PHP code disguised as an image inside the auto-loaded directory of the plugin, resulting in arb...
8.8CVSS
8.9AI Score
0.001EPSS
The WordPress File Upload WordPress plugin before 4.23.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks.
5.4CVSS
5.1AI Score
0.001EPSS
The WordPress File Upload WordPress plugin before 4.24.8 does not properly sanitize and escape certain parameters, which could allow unauthenticated users to execute stored cross-site scripting (XSS) attacks.
6.1CVSS
5.7AI Score
0.0004EPSS
The WordPress File Upload WordPress plugin before 4.24.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
6.1CVSS
5.8AI Score
0.0004EPSS