CVE Daily
← All tags

Tag: Unrestricted File Upload

All CVEs associated with "Unrestricted File Upload". Page 1/1 • 66 CVEs.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2025-08-16
Critical

CVE-2025-7441

The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API en…

CVSS: 9.8 CWE: CWE-434
Read more
High

CVE-2025-6079

The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the homework.php file in all versions up to, and includi…

CVSS: 8.8 CWE: CWE-434
Read more
2025-08-15
Critical

CVE-2025-6679

The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthen…

CVSS: 9.8 CWE: CWE-434
Read more
2025-08-13
High

CVE-2012-10056

PHP Volunteer Management System v1.0.2 contains an arbitrary file upload vulnerability in its document upload functionality. Authenticated users can upload files to the mods/documents/uploads/ direct…

CVSS: 8.7 CWE: CWE-434
Read more
Critical

CVE-2012-10054

Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpoint, which exposes a SaveDLRScript operation that permits arbitrary f…

CVSS: 9.3 CWE: CWE-22
Read more
2025-08-11
Critical

CVE-2012-10038

Auxilium RateMyPet contains an unauthenticated arbitrary file upload vulnerability in upload_banners.php. The banner upload feature fails to validate file types or enforce authentication, allowing re…

CVSS: 9.3 CWE: CWE-434
Read more
2025-08-08
Critical

CVE-2012-10052

EGallery version 1.2 contains an unauthenticated arbitrary file upload vulnerability in the uploadify.php script. The application fails to validate file types or enforce authentication, allowing remo…

CVSS: 9.3 CWE: CWE-434
Read more
Critical

CVE-2012-10050

CuteFlow version 2.11.2 and earlier contains an arbitrary file upload vulnerability in the restart_circulation_values_write.php script. The application fails to validate or restrict uploaded file typ…

CVSS: 9.3 CWE: CWE-434
Read more
Critical

CVE-2012-10049

WebPageTest version 2.6 and earlier contains an arbitrary file upload vulnerability in the resultimage.php script. The application fails to validate or sanitize user-supplied input before saving uplo…

CVSS: 9.3 CWE: CWE-434
Read more
High

CVE-2012-10042

Sflog! CMS 1.0 contains an authenticated arbitrary file upload vulnerability in the blog management interface. The application ships with default credentials (admin:secret) and allows authenticated u…

CVSS: 8.7 CWE: CWE-434
Read more
Critical

CVE-2012-10036

Project Pier 0.8.8 and earlier contains an unauthenticated arbitrary file upload vulnerability in tools/upload_file.php. The upload handler fails to validate the file type or enforce authentication,…

CVSS: 9.3 CWE: CWE-434
Read more
2025-08-06
High

CVE-2025-51056

An unrestricted file upload vulnerability in Vedo Suite version 2024.17 allows remote authenticated attackers to write to arbitrary filesystem paths by exploiting the insecure 'uploadPreviews()' cust…

CVSS: 8.2 CWE: CWE-434
Read more
2025-08-05
Critical

CVE-2014-125113

An unrestricted file upload vulnerability exists in Dell (acquired by Quest) KACE K1000 System Management Appliance version 5.0 - 5.3, 5.4 prior to 5.4.76849, and 5.5 prior to 5.5.90547 in the downlo…

CVSS: 9.3 CWE: CWE-306
Read more
Critical

CVE-2013-10067

Glossword versions 1.8.8 through 1.8.12 contain an authenticated arbitrary file upload vulnerability. When deployed as a standalone application, the administrative interface (gw_admin.php) allows use…

CVSS: 9.4 CWE: CWE-434
Read more
Critical

CVE-2013-10066

An unauthenticated arbitrary file upload vulnerability exists in Kordil EDMS v2.2.60rc3. The application exposes an upload endpoint (users_add.php) that allows attackers to upload files to the /userp…

CVSS: 10.0 CWE: CWE-434
Read more
Critical

CVE-2012-10026

The WordPress plugin Asset-Manager version 2.0 and below contains an unauthenticated arbitrary file upload vulnerability in upload.php. The endpoint fails to properly validate and restrict uploaded f…

CVSS: 10.0 CWE: CWE-434
Read more
High

CVE-2025-6207

The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_tempalte_import' function in all versions up to, and including,…

CVSS: 7.5 CWE: CWE-434
Read more
High

CVE-2025-5061

The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_parse_upload_data' function in all versions up to, and includin…

CVSS: 7.5 CWE: CWE-434
Read more
2025-08-04
Critical

CVE-2025-52239

An arbitrary file upload vulnerability in ZKEACMS v4.1 allows attackers to execute arbitrary code via a crafted file.

CVSS: 9.8 CWE: CWE-434
Read more
Critical

CVE-2013-10054

An unauthenticated arbitrary file upload vulnerability exists in LibrettoCMS version 1.1.7 (and possibly earlier) contains an unauthenticated arbitrary file upload vulnerability in its File Manager p…

CVSS: 9.3 CWE: CWE-434
Read more
2025-08-01
Critical

CVE-2013-10055

An unauthenticated arbitrary file upload vulnerability exists in Havalite CMS version 1.1.7 (and possibly earlier) in the upload.php script. The application fails to enforce proper file extension val…

CVSS: 9.3 CWE: CWE-434
Read more
Critical

CVE-2013-10047

An unrestricted file upload vulnerability exists in MiniWeb HTTP Server <= Build 300 that allows unauthenticated remote attackers to upload arbitrary files to the server’s filesystem. By abusing the…

CVSS: 9.3 CWE: CWE-434
Read more
High

CVE-2013-10044

An authenticated SQL injection vulnerability exists in OpenEMR ≤ 4.1.1 Patch 14 that allows a low-privileged attacker to extract administrator credentials and subsequently escalate privileges. Once e…

CVSS: 8.7 CWE: CWE-89
Read more
High

CVE-2025-7443

The BerqWP – Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is vulnerable to arbitrary file uploads due to missing file…

CVSS: 8.1 CWE: CWE-434
Read more
2025-07-31
Critical

CVE-2014-125126

An unrestricted file upload vulnerability exists in Simple E-Document versions 3.0 to 3.1 that allows an unauthenticated attacker to bypass authentication by sending a specific cookie header (access=…

CVSS: 9.2 CWE: CWE-306
Read more
Critical

CVE-2013-10038

An unauthenticated arbitrary file upload vulnerability exists in FlashChat versions 6.0.2 and 6.0.4 through 6.0.8. The upload.php endpoint fails to properly validate file types and authentication, al…

CVSS: 9.3 CWE: CWE-434
Read more
Critical

CVE-2013-10034

An unrestricted file upload vulnerability exists in Kaseya KServer versions prior to 6.3.0.2. The uploadImage.asp endpoint allows unauthenticated users to upload files to arbitrary paths via a crafte…

CVSS: 9.3 CWE: CWE-434
Read more
High

CVE-2025-7847

The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the rest_simpleFileUpload() function in versions 2.9.3 and 2.9.4. This makes it possi…

CVSS: 8.8 CWE: CWE-434
Read more
2025-07-30
High

CVE-2025-8323

The e-School from Ventem has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on t…

CVSS: 8.8 CWE: CWE-434
Read more
2025-07-25
High

CVE-2025-5831

The Droip plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the make_google_font_offline() function in all versions up to, and including, 2.2.0. This…

CVSS: 8.8 CWE: CWE-434
Read more
High

CVE-2015-10144

The Responsive Thumbnail Slider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type sanitization in the via the image uploader in versions up to 1.0.1. This makes it…

CVSS: 8.8 CWE: CWE-434
Read more
2025-07-24
Critical

CVE-2025-7852

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_new_customer' route in all vers…

CVSS: 9.8 CWE: CWE-434
Read more
Critical

CVE-2025-7437

The Ebook Store plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ebook_store_save_form function in all versions up to, and including, 5.8012. Th…

CVSS: 9.8 CWE: CWE-434
Read more
2025-07-23
Critical

CVE-2025-40599

An authenticated arbitrary file upload vulnerability exists in the SMA 100 series web management interface. A remote attacker with administrative privileges can exploit this flaw to upload arbitrary…

CVSS: 9.1 CWE: CWE-434
Read more
2025-07-22
Critical

CVE-2015-10137

The Website Contact Form With File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_file()' function in versions up to, and inclu…

CVSS: 9.8 CWE: CWE-434
Read more
Critical

CVE-2012-10020

The FoxyPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadify.php file in versions up to, and including, 0.4.2.1. This makes it possi…

CVSS: 9.8 CWE: CWE-434
Read more
2025-07-21
High

CVE-2025-7917

WinMatrix3 Web package developed by Simopro Technology has an Arbitrary File Upload vulnerability, allowing remote attackers with administrator privileges to upload and execute web shell backdoors, t…

CVSS: 7.2 CWE: CWE-434
Read more
2025-07-19
Critical

CVE-2015-10138

The Work The Flow File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jQuery-File-Upload-9.5.0 server and test files in versions up to,…

CVSS: 9.8 CWE: CWE-434
Read more
Critical

CVE-2016-15043

The WP Mobile Detector plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in resize.php file in versions up to, and including, 3.5. This makes it possibl…

CVSS: 9.8 CWE: CWE-434
Read more
Critical

CVE-2015-10135

The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaxUpload function in versions before 1.3.9.6. This makes it possibl…

CVSS: 9.8 CWE: CWE-434
Read more
Critical

CVE-2012-10019

The Front End Editor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the upload.php file in versions before 2.3. This makes it possible for unauth…

CVSS: 9.8 CWE: CWE-434
Read more
2025-07-18
Medium

CVE-2025-46000

An arbitrary file upload vulnerability in the component /rsc/filemanager.rsc.class.php of Filemanager commit c75b914 v.2.5.0 allows attackers to execute arbitrary code via uploading a crafted SVG fil…

CVSS: 6.5 CWE: CWE-94
Read more
Critical

CVE-2025-46001

An arbitrary file upload vulnerability in the is_allowed_file_type() function of Filemanager v2.3.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.

CVSS: 9.8 CWE: CWE-434
Read more
High

CVE-2025-7438

The MasterStudy LMS Pro plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'install_and_activate_plugin' function in all versions up to, and…

CVSS: 7.5 CWE: CWE-434
Read more
Critical

CVE-2025-6222

The WooCommerce Refund And Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation i…

CVSS: 9.8 CWE: CWE-434
Read more
2025-07-16
Critical

CVE-2025-34121

An unauthenticated arbitrary file upload vulnerability exists in Idera Up.Time Monitoring Station versions up to and including 7.2. The `wizards/post2file.php` script accepts arbitrary POST parameter…

CVSS: 9.3 CWE: CWE-306
Read more
2025-07-15
Critical

CVE-2025-34111

An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows…

CVSS: 9.3 CWE: CWE-20
Read more
Critical

CVE-2025-7340

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_f…

CVSS: 9.8 CWE: CWE-434
Read more
Critical

CVE-2025-5394

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() fun…

CVSS: 9.8 CWE: CWE-862
Read more
2025-07-14
Medium

CVE-2025-51650

An arbitrary file upload vulnerability in the component /controller/PicManager.php of FoxCMS v1.2.6 allows attackers to execute arbitrary code via uploading a crafted template file.

CVSS: 5.6 CWE: CWE-77
Read more
2025-07-12
Critical

CVE-2020-36849

The AIT CSV import/export plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-content/plugins/ait-csv-import-export/admin/upload-handler.php fi…

CVSS: 9.8 CWE: CWE-434
Read more
High

CVE-2025-6423

The BeeTeam368 Extensions plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_submit_upload_file() function in all versions up to, and inclu…

CVSS: 8.8 CWE: CWE-434
Read more
Critical

CVE-2025-6058

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_booking_type' route in all vers…

CVSS: 9.8 CWE: CWE-434
Read more
High

CVE-2025-6057

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_image_upload() function in all versions up to, and including, 1.0.4. This m…

CVSS: 8.8 CWE: CWE-434
Read more
2025-07-10
Critical

CVE-2025-34100

An unrestricted file upload vulnerability exists in BuilderEngine 3.5.0 via the integration of the elFinder 2.0 file manager and its use of the jQuery File Upload plugin. The plugin fails to properly…

CVSS: 9.3 CWE: CWE-20
Read more
High

CVE-2025-34097

An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a…

CVSS: 8.6 CWE: CWE-434
Read more
2025-07-07
Critical

CVE-2025-6802

Marvell QConvergeConsole getFileFromURL Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of…

CVSS: 9.8 CWE: CWE-434
Read more
2025-06-24
High

CVE-2025-6206

The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in th…

CVSS: 7.5 CWE: CWE-434
Read more
2025-06-17
High

CVE-2025-34511

Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7.0 is vulnerable to an unrestricted file upload issue. A remote, authentic…

CVSS: 8.8 CWE: CWE-434
Read more
High

CVE-2025-3515

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1…

CVSS: 8.1 CWE: CWE-434
Read more
2025-04-04
High

CVE-2025-2780

The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up to…

CVSS: 8.8 CWE: CWE-434
Read more
2025-04-02
Critical

CVE-2025-2005

The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and incl…

CVSS: 9.8 CWE: CWE-434
Read more
2025-03-20
Critical

CVE-2024-10902

In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /v1/personal/agent/upload` is vulnerable to Arbitrary File Upload with Path Traversal. This vulnerability allows unauthorized attackers to upl…

CVSS: 9.8 CWE: CWE-73
Read more
2025-03-19
Critical

CVE-2025-2512

The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and inclu…

CVSS: 9.8 CWE: CWE-434
Read more
2025-01-24
Medium

CVE-2024-45077

IBM Maximo Asset Management 7.6.1.3 MXAPIASSET API is vulnerable to unrestricted file upload which allows authenticated low privileged user to upload restricted file types with a simple method of add…

CVSS: 6.5 CWE: CWE-98
Read more
2024-04-10
Critical

CVE-2024-2221

qdrant/qdrant is vulnerable to a path traversal and arbitrary file upload vulnerability via the `/collections/{COLLECTION}/snapshots/upload` endpoint, specifically through the `snapshot` parameter. T…

CVSS: 9.8 CWE: CWE-434
Read more