Search Results (4283 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-13094 1 Wordpress 1 Wordpress 2026-04-15 8.8 High
The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-7487 2026-04-15 6.3 Medium
A vulnerability, which was classified as critical, was found in JoeyBling SpringBoot_MyBatisPlus up to a6a825513bd688f717dbae3a196bc9c9622fea26. This affects the function SysFileController of the file /file/upload. The manipulation of the argument portraitFile leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.
CVE-2025-7917 2026-04-15 7.2 High
WinMatrix3 Web package developed by Simopro Technology has an Arbitrary File Upload vulnerability, allowing remote attackers with administrator privileges to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
CVE-2025-8265 1 299ko 1 Cms 2026-04-15 4.7 Medium
A vulnerability classified as critical has been found in 299Ko CMS 2.0.0. This affects an unknown part of the file /admin/filemanager/view of the component File Management. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-8323 1 Ventem 1 E-school 2026-04-15 8.8 High
The e-School from Ventem has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
CVE-2025-12966 2 Plugins360, Wordpress 2 All-in-one Video Gallery, Wordpress 2026-04-15 8.8 High
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-9099 2026-04-15 6.3 Medium
A vulnerability was identified in Acrel Environmental Monitoring Cloud Platform up to 20250804. This affects an unknown part of the file /NewsManage/UploadNewsImg. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-11320 1 Zhuimengshaonian 1 Wisdom-education 2026-04-15 6.3 Medium
A security vulnerability has been detected in zhuimengshaonian wisdom-education up to 1.0.4. Impacted is the function uploadFile of the file src/main/java/com/education/core/controller/UploadController.java. Such manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
CVE-2025-11221 1 Gtone 1 Changeflow 2026-04-15 8.8 High
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Unrestricted Upload of File with Dangerous Type vulnerability in GTONE ChangeFlow allows Path Traversal, Accessing Functionality Not Properly Constrained by ACLs.This issue affects ChangeFlow: from All versions through v9.0.1.1.
CVE-2024-9698 1 Wordpress 1 Wordpress 2026-04-15 7.2 High
The Crafthemes Demo Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'process_uploaded_files' function in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2024-9648 2026-04-15 6.1 Medium
The WP ULike Pro plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the WP_Ulike_Pro_File_Uploader class in all versions up to, and including, 1.9.3. This makes it possible for unauthenticated attackers to upload limited arbitrary files like .php2, .php6, .php7, .phps, .pht, .phtm, .pgif, .shtml, .phar, .inc, .hphp, .ctp, .module, .html, .svg on the affected site's server which may make make other attacks like Cross-Site Scripting possible. Only versions up to 1.8.7 were confirmed vulnerable, however, the earliest tested version for a patch we have access to is 1.9.4, so we are considering 1.9.4 the patched version.
CVE-2025-0731 2026-04-15 6.5 Medium
An unauthenticated remote attacker can upload a .aspx file instead of a PV system picture through the demo account. The code can only be executed in the security context of the user.
CVE-2024-9290 2026-04-15 9.8 Critical
The Super Backup & Clone - Migrate for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and a missing capability check on the ibk_restore_migrate_check() function in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2024-9278 1 Huankemao 1 Scrm 2026-04-15 4.7 Medium
A vulnerability, which was classified as critical, has been found in HuankeMao SCRM up to 0.0.3. Affected by this issue is the function upload_domain_verification_file of the file WxkConfig.php of the component Administrator Backend. The manipulation of the argument domain_verification_file leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-9108 1 Xunhuweb 1 Wechat Social Login 2026-04-15 9.8 Critical
The Wechat Social login plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'convert_remoteimage_to_local' function in versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2024-8743 1 Bitapps 1 File Manager 2026-04-15 6.8 Medium
The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 6.5.7. This is due to a lack of proper checks on allowed file types. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an administrator, to upload .css and .js files, which could lead to Stored Cross-Site Scripting.
CVE-2024-7257 1 Yaycommerce 1 Yayextra 2026-04-15 9.8 Critical
The YayExtra – WooCommerce Extra Product Options plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_upload_file function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2024-7074 2026-04-15 6.8 Medium
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server. By leveraging this vulnerability, an attacker could upload a specially crafted payload, potentially achieving remote code execution (RCE) on the server. Exploitation requires valid admin credentials, limiting its impact to authorized but potentially malicious users.
CVE-2022-41573 2026-04-15 9.8 Critical
An issue was discovered in Ovidentia 8.3. The file upload feature does not prevent the uploading of executable files. A user can upload a .png file containing PHP code and then rename it to have the .php extension. It will then be accessible at an images/common/ URI for remote code execution.
CVE-2024-4904 2026-04-15 6.3 Medium
A vulnerability was found in Byzoro Smart S200 Management Platform up to 20240507. It has been rated as critical. This issue affects some unknown processing of the file /useratte/userattestation.php. The manipulation of the argument web_img leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264437 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.