CVE-2021-24961

CVE-2021-24961 affects WordPress File Upload plugin (pre-4.16.3) and WordPress File Upload Pro plugin (pre-4.16.3). The vulnerability is a failure to escape certain shortcode arguments, enabling Stored Cross-Site Scripting via shortcodes for users with a role as low as Contributor. The issue is d...

CVE-2021-24960

CVE-2021-24960 concerns the WordPress File Upload plugin (and the wordpress-file-upload-pro variant) prior to version 4.16.3. The issue allows users with a role as low as Contributor to configure the upload form so SVG files can be uploaded, enabling stored Cross-Site Scripting (XSS). Reported im...

CVE-2021-24962

CVE-2021-24962 affects WordPress File Upload Free and Pro plugins prior to 4.16.3. Affected: path traversal via a shortcode argument enables uploading PHP code disguised as an image into the plugin’s autoload directory, resulting in arbitrary code execution (RCE). Public PoCs exist (see wpexploit...

CVE-2023-2688

CVE-2023-2688 affects WordPress File Upload and WordPress File Upload Pro plugins for WordPress. Vulnerability: Path Traversal via wfu_newpath allows an administrator to move files uploaded to wp-content/uploads outside the web root, potentially exposing sensitive directories. Affected versions: ...

CVE-2023-2767

CVE-2023-2767 affects the WordPress File Upload and WordPress File Upload Pro plugins for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) flaw caused by insufficient input sanitization and output escaping in admin/settings paths, exploitable by authenticated attackers with adm...