CVE-2020-10564

CVE-2020-10564 affects the WordPress File Upload plugin prior to 4.13.0. A directory traversal vulnerability allows remote code execution by uploading a crafted txt file into the lib directory, due to a wfu_include_lib call. Impact is remote code execution with network access. Remediation: upgrad...

CVE-2024-9047

CVE-2024-9047 affects the WordPress WordPress File Upload plugin up to version 4.24.11. The vulnerability is a path traversal in wfu_file_downloader.php that allows unauthenticated attackers to read or delete files outside the intended directory on WordPress sites running PHP 7.4 or earlier. Conn...

CVE-2021-24961

CVE-2021-24961 affects WordPress File Upload plugin (pre-4.16.3) and WordPress File Upload Pro plugin (pre-4.16.3). The vulnerability is a failure to escape certain shortcode arguments, enabling Stored Cross-Site Scripting via shortcodes for users with a role as low as Contributor. The issue is d...

CVE-2023-4811

The CVE-2023-4811 entry concerns the WordPress File Upload plugin for WordPress, prior to version 4.23.3. The root cause is insufficient sanitization/escaping of certain settings, enabling Stored Cross-Site Scripting by high-privilege users (e.g., contributors). Affected component: plugin setting...

CVE-2021-24960

CVE-2021-24960 concerns the WordPress File Upload plugin (and the wordpress-file-upload-pro variant) prior to version 4.16.3. The issue allows users with a role as low as Contributor to configure the upload form so SVG files can be uploaded, enabling stored Cross-Site Scripting (XSS). Reported im...

CVE-2021-24962

CVE-2021-24962 affects WordPress File Upload Free and Pro plugins prior to 4.16.3. Affected: path traversal via a shortcode argument enables uploading PHP code disguised as an image into the plugin’s autoload directory, resulting in arbitrary code execution (RCE). Public PoCs exist (see wpexploit...

CVE-2024-11613

The CVE CVE-2024-11613 affects the WordPress File Upload plugin for WordPress, with vulnerable versions up to and including 4.24.15. The flaw arises from insufficient sanitization of the source parameter in wfu_file_downloader.php, allowing an unauthenticated attacker to specify a user-controlled...

CVE-2024-11635

CVE-2024-11635 affects WordPress File Upload plugin for WordPress up to version 4.24.12, enabling unauthenticated remote code execution via the wfu_ABSPATH cookie parameter. Public exploit exists (GitHub). Red Hat and Wordfence entries confirm the issue and note it has been patched; upgrade to 4....

CVE-2024-13494

CVE-2024-13494 : The WordPress File Upload plugin (WordPress File Upload) is vulnerable to Cross-Site Forgery (CSRF) in all versions through 4.25.2 due to missing/incorrect nonce validation in the wfu_file_details function. An unauthenticated attacker could modify details of uploaded files by tri...

CVE-2018-9844

The CVE-2018-9844 affects the Iptanus WordPress File Upload plugin for WordPress (versions up to and including 4.3.3). The root cause is mishandling of the Settings attribute, which enables stored Cross-Site Scripting (XSS) in the admin panel (notably via the Edit_Settings functionality). Impact ...

CVE-2024-6651

CVE-2024-6651 affects the WordPress File Upload plugin for WordPress, specifically versions earlier than 4.24.8. The vulnerability is a reflected XSS in the plugin’s File Browser, caused by inadequate sanitization/escaping of the dir parameter before output to the admin page. Exploitation could a...

CVE-2024-2847

The CVE-2024-2847 entry concerns the WordPress File Upload plugin for WordPress. Affected: all versions up to and including 4.24.5. Root cause: insufficient input sanitization and output escaping on user-supplied attributes within the plugin shortcode(s). Impact: stored cross-site scripting (XSS)...

CVE-2024-7301

CVE-2024-7301 : WordPress File Upload plugin for WordPress suffers Stored Cross-Site Scripting via SVG uploads in all versions up to 4.24.8 due to insufficient input sanitization and output escaping. Unauthenticated attackers could inject scripts that execute when users view the SVG. Risk details...

CVE-2018-9172

The CVE-2018-9172 entry describes a vulnerability in the Iptanus WordPress File Upload plugin for WordPress, affecting versions prior to 4.3.3. The root cause is mishandling of shortcode attributes, which is associated with the Shortcodes/Uploader Instances functionality and has been demonstrated...

CVE-2023-2688

CVE-2023-2688 affects WordPress File Upload and WordPress File Upload Pro plugins for WordPress. Vulnerability: Path Traversal via wfu_newpath allows an administrator to move files uploaded to wp-content/uploads outside the web root, potentially exposing sensitive directories. Affected versions: ...

CVE-2024-9939

CVE-2024-9939 (WordPress File Upload plugin) is a path traversal vulnerability that affects WordPress File Upload up to version 4.24.13 via wfu_file_downloader.php, enabling unauthenticated attackers to read files outside the intended directory. The issue is confirmed in connected Red Hat and Wor...

CVE-2024-12719

CVE-2024-12719 relates to the WordPress File Upload plugin for WordPress. A missing capability check in the wfu_ajax_action_read_subfolders function across all versions up to 4.24.15 allows authenticated users with Subscriber+ privileges to perform limited path traversal to view directories and s...

CVE-2024-39639

CVE-2024-39639 affects WordPress File Upload plugin (≤4.24.7). Root cause is Broken Access Control, with Patchstack noting CSRF involvement. Impact is reported as low to medium (CVSS 3.5–4.3 range); patched in version 4.24.8. No exploitation status provided in the sources; monitor for updates fro...

CVE-2024-5852

CVE-2024-5852 refers to WordPress File Upload plugin for WordPress (versions up to 4.24.7) and describes a directory traversal vulnerability exploitable via the uploadpath parameter of the wordpress_file_upload shortcode. Authenticated attackers with Contributor-level access or higher could uploa...

CVE-2015-9340

The CVE-2015-9340 entry refers to the WordPress wp-file-upload plugin prior to 3.0.0, which has insufficient restrictions on uploading PHP, JS, and related script/markup files (php5, phtml, html, htaccess, etc.). The connected Red Hat, CNVD/CVE, CVE records and WPVulnDB entry corroborate this iss...

CVE-2015-9341

The CVE-2015-9341 entry concerns the WordPress wp-file-upload plugin. Affected component: wp-file-upload plugin for WordPress (versions prior to 3.4.1). Root cause: insufficient restrictions on uploads of .php.js files, enabling potentially executable payloads via file upload. Documented impact: ...

CVE-2015-9338

CVE-2015-9338 affects the WordPress wp-file-upload plugin prior to version 2.5.0. The vulnerability arises from insufficient restrictions on uploading PHP files, allowing potentially harmful PHP uploads through the plugin. Affected product is the wp-file-upload plugin for WordPress; root cause is...

CVE-2015-9339

The CVE-2015-9339 entry concerns the WordPress wp-file-upload plugin, affected up to versions prior to 2.7.1. The root cause described across connected sources is insufficient restrictions on uploading JavaScript (.js) files. Exploitation details or real-world impact are not provided in the docum...

CVE-2023-2767

CVE-2023-2767 affects the WordPress File Upload and WordPress File Upload Pro plugins for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) flaw caused by insufficient input sanitization and output escaping in admin/settings paths, exploitable by authenticated attackers with adm...

CVE-2024-6494

CVE-2024-6494 affects the WordPress File Upload plugin for WordPress, prior to version 4.24.8. The issue is caused by insufficient sanitization/escaping of certain parameters, which could allow unauthenticated users to trigger stored cross-site scripting (XSS). Remediation: upgrade the plugin to ...