CVE Daily
← All tags

Tag: Unrestricted File Upload

All CVEs associated with "Unrestricted File Upload". Page 4/14 • 1592 CVEs.

Subscribe CVEs: RSS for “Unrestricted File Upload”  ·  RSS (High+Critical only)

About “Unrestricted File Upload”

A curated feed of “Unrestricted File Upload”-related CVEs appears below. We currently track 1592 CVEs for this tag (all time). In the last 365 days, 310 were published. Average CVSS is 8.3 (all time; 8.5 over 365d), and 80% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-434 - Unrestricted Upload of File with Dangerous Type, CWE-306 - Missing Authentication for Critical Function, CWE-94 - Improper Control of Generation of Code ('Code Injection').

In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2025-03-19
Medium

CVE-2025-29405

An arbitrary file upload vulnerability in the component /admin/template.php of emlog pro 2.5.0 and pro 2.5.* allows attackers to execute arbitrary code via uploading a crafted PHP file.

CVSS: 6.3 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2025-29401

An arbitrary file upload vulnerability in the component /views/plugin.php of emlog pro v2.5.7 allows attackers to execute arbitrary code via uploading a crafted PHP file.

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2025-2512

The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and inclu…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-03-18
Critical

CVE-2025-2494

Unrestricted file upload to Softdial Contact Center of Sytel Ltd. This vulnerability could allow an attacker to upload files to the server via the ‘/softdial/phpconsole/upload.php’ endpoint, which is…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-03-17
High

CVE-2025-2396

The U-Office Force from e-Excellence has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and execute web shell backdoors, thereby enabling arbitrar…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-03-08
High

CVE-2024-13359

The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the add_product_input_fields_to_order_item_meta() fun…

CVSS: 8.1 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-13882

The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in th…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-13908

The SMTP by BestWebSoft plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 1.1.9. Th…

CVSS: 7.2 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-03-06
Critical

CVE-2025-25361

An arbitrary file upload vulnerability in the component /cms/CmsWebFileAdminController.java of PublicCMS v4.0.202406 allows attackers to execute arbitrary code via uploading a crafted svg or xml file.

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-03-05
Medium

CVE-2025-27411

REDAXO is a PHP-based CMS. In Redaxo before 5.18.3, the mediapool/media page is vulnerable to arbitrary file upload. This vulnerability is fixed in 5.18.3.

CVSS: 5.4 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-03-04
Critical

CVE-2025-26319

FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2025-1307

The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and includ…

CVSS: 9.8 CWE: CWE-862 - Missing Authorization View on NVD
2025-02-28
Critical

CVE-2024-8425

The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_car…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-02-26
Medium

CVE-2025-25791

An arbitrary file upload vulnerability in the plugin installation feature of YZNCMS v2.0.1 allows attackers to execute arbitrary code via uploading a crafted Zip file.

CVSS: 4.4 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Critical

CVE-2025-25790

An arbitrary file upload vulnerability in the component \controller\LocalTemplate.php of FoxCMS v1.2.5 allows attackers to execute arbitrary code via uploading a crafted Zip file.

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2025-25784

An arbitrary file upload vulnerability in the component \c\TemplateController.php of Jizhicms v2.5.4 allows attackers to execute arbitrary code via uploading a crafted Zip file.

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2025-25783

An arbitrary file upload vulnerability in the component admin\plugin.php of Emlog Pro v2.5.3 allows attackers to execute arbitrary code via uploading a crafted Zip file.

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-02-25
Critical

CVE-2025-1128

The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file ty…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-02-22
High

CVE-2024-13869

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all vers…

CVSS: 7.2 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-02-21
Medium

CVE-2025-25766

An arbitrary file upload vulnerability in the component /file/savefile.do of MRCMS v3.1.2 allows attackers to execute arbitrary code via uploading a crafted .jsp file.

CVSS: 4.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2025-02-17
High

CVE-2025-1388

Orca HCM from LEARNING DIGITAL has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and run web shells

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-02-12
Critical

CVE-2024-10960

The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'storeUploads' function in all versions up to, and including, 2.6.4. T…

CVSS: 9.9 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2024-13365

The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through t…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-13714

The All-Images.ai – IA Image Bank and Custom Image creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the '_get_image_by_url' function in all…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-02-10
Critical

CVE-2024-13011

The WP Foodbakery plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'upload_publisher_profile_image' function in versions up to, and includi…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-57408

An arbitrary file upload vulnerability in the component /comm/upload of cool-admin-java v1.0 allows attackers to execute arbitrary code via uploading a crafted file.

CVSS: 7.2 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-57407

An arbitrary file upload vulnerability in the component /userPicture of Timo v2.0.3 allows attackers to execute arbitrary code via uploading a crafted file.

CVSS: 7.3 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-02-06
High

CVE-2024-57668

In Code-projects Shopping Portal v1.0, the insert-product.php page has an arbitrary file upload vulnerability.

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2025-1066

OpenPLC_V3 contains an arbitrary file upload vulnerability, which could be leveraged for malvertising or phishing campaigns.

CVSS: 9.8 CWE: N/A View on NVD
2025-02-05
High

CVE-2025-1025

Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.

CVSS: 7.5 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2025-1028

The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature in all versions up to, and including, 8.6.4. Th…

CVSS: 8.1 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-01-28
Critical

CVE-2024-13448

The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trx_addons_uploads_save_data' function in all versions up to, and includin…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-01-25
Critical

CVE-2025-0357

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'WPB_Profile_controller::handle_image_upload' function in versions up to, and…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-01-24
Medium

CVE-2024-45077

IBM Maximo Asset Management 7.6.1.3 MXAPIASSET API is vulnerable to unrestricted file upload which allows authenticated low privileged user to upload restricted file types with a simple method of add…

CVSS: 6.5 CWE: CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') View on NVD
2025-01-22
Critical

CVE-2024-13091

The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'qcld_wpcfb_file_upload' function in all versions up to, and in…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-01-17
High

CVE-2024-13333

The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fma_local_file_system' function in versions 5.2.12 to 5.2.13. This m…

CVSS: 7.5 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-01-16
Critical

CVE-2025-0471

Unrestricted file upload vulnerability in the PMB platform, affecting versions 4.0.10 and above. This vulnerability could allow an attacker to upload a file to gain remote access to the machine, bein…

CVSS: 9.9 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-01-15
Medium

CVE-2024-41454

An arbitrary file upload vulnerability in the UI login page logo upload function of Process Maker pm4core-docker 4.1.21-RC7 allows attackers to execute arbitrary code via uploading a crafted PHP or H…

CVSS: 6.5 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-57761

An arbitrary file upload vulnerability in the parserXML() method of JeeWMS before v2025.01.01 allows attackers to execute arbitrary code via uploading a crafted file.

CVSS: 8.1 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-01-14
High

CVE-2025-0394

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gh_bi…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-01-13
Critical

CVE-2024-46479

Venki Supravizio BPM through 18.0.1 was discovered to contain an arbitrary file upload vulnerability. An authenticated attacker may upload a malicious file, leading to remote code execution.

CVSS: 9.9 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-01-10
High

CVE-2024-46210

An arbitrary file upload vulnerability in the MediaPool module of Redaxo CMS v5.17.1 allows attackers to execute arbitrary code via uploading a crafted file.

CVSS: 7.2 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-01-09
High

CVE-2024-12848

The SKT Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the 'addLibraryByArchive' function in all versions up to, and including, 4.6. Th…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
2025-01-08
High

CVE-2024-12854

The Garden Gnome Package plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the functionality that automatically extracts 'ggpkg' files that have been…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-12853

The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 2.11.10…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-01-07
High

CVE-2024-53345

An authenticated arbitrary file upload vulnerability in Car Rental Management System v1.0 to v1.3 allows attackers to execute arbitrary code via uploading a crafted file.

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-01-03
Critical

CVE-2024-55078

An arbitrary file upload vulnerability in the component /adminUser/updateImg of WukongCRM-11.0-JAVA v11.3.3 allows attackers to execute arbitrary code via uploading a crafted file.

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-01-02
Critical

CVE-2024-56829

Huang Yaoshi Pharmaceutical Management Software through 16.0 allows arbitrary file upload via a .asp filename in the fileName element of the UploadFile element in a SOAP request to /XSDService.asmx.

CVSS: 10.0 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-12-24
High

CVE-2024-12881

The PlugVersions – Easily rollback to previous versions of your plugins plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the eos_plugin_reviews_restor…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
2024-12-19
High

CVE-2024-12700

There is an unrestricted file upload vulnerability where it is possible for an authenticated user (low privileged) to upload an jsp shell and execute code with the privileges of user running the web…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-12-14
High

CVE-2024-9698

The Crafthemes Demo Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'process_uploaded_files' function in all versions up to, and includi…

CVSS: 7.2 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-12-13
Critical

CVE-2024-9290

The Super Backup & Clone - Migrate for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and a missing capability check on the ibk_restore_mig…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-12-12
High

CVE-2024-10590

The Opt-In Downloads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the admin_upload() function in all versions up to, and including, 4.07. This m…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-12-09
High

CVE-2024-50625

An issue was discovered in Digi ConnectPort LTS before 1.4.12. A vulnerability in the file upload handling of a web application allows manipulation of file paths via POST requests. This can lead to a…

CVSS: 8.0 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2022-38946

Arbitrary File Upload vulnerability in Doctor-Appointment version 1.0 in /Frontend/signup_com.php, allows attackers to execute arbitrary code.

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2024-12-04
Critical

CVE-2024-40744

Unrestricted file upload via security bypass in Convert Forms component for Joomla in versions before 4.4.8.

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-12-03
High

CVE-2024-46625

An authenticated arbitrary file upload vulnerability in the /documentCache/upload endpoint of InfoDom Performa 365 v4.0.1 allows attackers to execute arbitrary code via uploading a crafted SVG file.

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-11391

The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the 'class_fma_connector.php' file in all versions up to, and including,…

CVSS: 7.5 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-11-28
Critical

CVE-2024-11082

The Tumult Hype Animations plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the hypeanimations_panel() function in all versions up to, and including…

CVSS: 9.9 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-8066

The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing validation in the 'fsConnector' function in all versions up to, and including, 1.8.6. This…

CVSS: 7.5 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-11-26
Medium

CVE-2024-53619

An authenticated arbitrary file upload vulnerability in the Documents module of SPIP v4.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file.

CVSS: 6.3 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-11-23
Critical

CVE-2024-9942

The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the MJ_gmgt_user_avatar_image_upload() function in all…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-9660

The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the mj_smgt_load_documets_new() and mj_smgt_load_documet…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2024-9659

The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the mj_smgt_user_avatar_image_upload() function in all v…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-11-21
Critical

CVE-2024-51367

An arbitrary file upload vulnerability in the component \Users\username.BlackBoard of BlackBoard v2.0.0.2 allows attackers to execute arbitrary code via uploading a crafted .xml file.

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2024-51366

An arbitrary file upload vulnerability in the component \Roaming\Omega of OmegaT v6.0.1 allows attackers to execute arbitrary code via uploading a crafted .conf file.

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-51364

An arbitrary file upload vulnerability in ModbusMechanic v3.0 allows attackers to execute arbitrary code via uploading a crafted .xml file.

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-11-20
Critical

CVE-2024-52770

An arbitrary file upload vulnerability in the component /admin/file_manage_control of DedeBIZ v6.3.0 allows attackers to execute arbitrary code via uploading a crafted file.

CVSS: 9.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2024-52769

An arbitrary file upload vulnerability in the component /admin/friendlink_edit of DedeBIZ v6.3.0 allows attackers to execute arbitrary code via uploading a crafted file.

CVSS: 7.2 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-11-18
Critical

CVE-2024-51053

An arbitrary file upload vulnerability in the component /main/fileupload.php of AVSCMS v8.2.0 allows attackers to execute arbitrary code via uploading a crafted file.

CVSS: 9.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2024-50919

Jpress until v5.1.1 has arbitrary file uploads on the windows platform, and the construction of non-standard file formats such as .jsp. can lead to arbitrary command execution

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2024-11-16
Critical

CVE-2024-8856

The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the the UploadHandler.php file and no direct file access…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-9849

The Real3D Flipbook Lite – 3D FlipBook, PDF Viewer, PDF Embedder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'r3dfb_save_thumbnail_callback…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-11-15
Critical

CVE-2024-44758

An arbitrary file upload vulnerability in the component /Production/UploadFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to execute arbitrary code via uploading crafted files.

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2024-50649

The user avatar upload function in python_book V1.0 has an arbitrary file upload vulnerability.

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Critical

CVE-2024-50648

yshopmall V1.0 has an arbitrary file upload vulnerability, which can enable RCE or even take over the server when improperly configured to parse JSP files.

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2024-11-13
Critical

CVE-2024-10820

The WooCommerce Upload Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 84.3…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-11-09
Critical

CVE-2024-10801

The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_manage_file_chunk_upload() function in all versions up to,…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2024-10547

The WP Membership plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the user_profile_image_upload() function in all versions up to, and including, 1.…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2024-10627

The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_manage_file_chunk_upload() function in all versions…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-11-06
Critical

CVE-2024-8615

The JobSearch WP Job Board plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jobsearch_location_load_excel_file_callback() function in all versio…

CVSS: 10.0 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2024-8614

The JobSearch WP Job Board plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jobsearch_wp_handle_upload() function in all versions up to, and inc…

CVSS: 9.9 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-10-31
Critical

CVE-2024-10392

The AI Power: Complete AI Pack plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handle_image_upload' function in all versions up to, and includ…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-10-30
High

CVE-2024-48734

Unrestricted file upload in /SASStudio/SASStudio/sasexec/{sessionID}/{InternalPath} in SAS Studio 9.4 allows remote attacker to upload malicious files. NOTE: this is disputed by the vendor because fi…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-48093

Unrestricted File Upload in the Discussions tab in Operately v.0.1.0 allows a privileged user to achieve Remote Code Execution via uploading and executing malicious files without validating file exte…

CVSS: 8.0 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-48646

An Unrestricted File Upload vulnerability exists in Sage 1000 v7.0.0, which allows authorized users to upload files without proper validation. An attacker could exploit this vulnerability by uploadin…

CVSS: 8.1 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-10-29
High

CVE-2024-7985

The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the "fileorganizer_ajax_handler" function in…

CVSS: 7.5 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2024-5982

A path traversal vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability arises from unsanitized input handling in multiple features, including user upload, direct…

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2024-10-28
Critical

CVE-2024-50623

In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-10-26
Critical

CVE-2024-9932

The Wux Blog Editor plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'wuxbt_insertImageNew' function in versions up to, and including, 3.0.…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-10-25
Medium

CVE-2024-48450

An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into chat group.

CVSS: 6.5 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
High

CVE-2024-37847

An arbitrary file upload vulnerability in MangoOS before 5.1.4 and Mango API before 4.5.5 allows attackers to execute arbitrary code via a crafted file.

CVSS: 8.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2024-48448

An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into the tracker comments page.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-10-22
High

CVE-2024-46482

An arbitrary file upload vulnerability in the Ticket Generation function of Ladybird Web Solution Faveo-Helpdesk v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .html or .sv…

CVSS: 8.2 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-10-17
High

CVE-2024-49398

The affected product is vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute code.

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-10-16
High

CVE-2020-36842

The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the wpvivid_upload_import_files and wpvivid_upload_files AJA…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2016-15042

The Frontend File Manager (versions < 4.0), N-Media Post Front-end Form (versions < 1.1) plugins for WordPress are vulnerable to arbitrary file uploads due to missing file type validation via the `nm…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2021-4449

The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to, and including, 5.96. This makes it possibl…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-10-12
Medium

CVE-2024-9756

The Order Attachments for WooCommerce plugin for WordPress is vulnerable to unauthorized limited arbitrary file uploads due to a missing capability check on the wcoa_add_attachment AJAX action in ver…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
2024-10-11
Critical

CVE-2024-46088

An arbitrary file upload vulnerability in the ProductAction.entphone interface of Zhejiang University Entersoft Customer Resource Management System v2002 to v2024 allows attackers to execute arbitrar…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2024-9234

The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_an…

CVSS: 9.8 CWE: CWE-862 - Missing Authorization View on NVD
2024-10-02
High

CVE-2024-7855

The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_review() function in all versions up to, and including, 2.1.2. This…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-10-01
Critical

CVE-2024-9108

The Wechat Social login plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'convert_remoteimage_to_local' function in versions up to, and inc…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-09-27
High

CVE-2024-46441

An arbitrary file upload vulnerability in YPay 1.2.0 allows attackers to execute arbitrary code via a ZIP archive to themePutFile in app/common/util/Upload.php (called from app/admin/controller/ypay/…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-09-26
High

CVE-2024-8126

The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads via the 'class_fma_connector.php' file in all versions up to, and including, 5.2.8. This makes it possible for a…

CVSS: 7.5 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2024-7772

The Jupiter X Core plugin for WordPress is vulnerable to arbitrary file uploads due to a mishandled file type validation in the 'validate' function in all versions up to, and including, 4.6.5. This m…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-09-25
Critical

CVE-2024-8940

Vulnerability in the Scriptcase application version 9.4.019, which involves the arbitrary upload of a file via /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ via a POST requ…

CVSS: 10.0 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-09-19
Critical

CVE-2024-40125

An arbitrary file upload vulnerability in the Media Manager function of Closed-Loop Technology CLESS Server v4.5.2 allows attackers to execute arbitrary code via uploading a crafted PHP file to the u…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-09-18
Critical

CVE-2024-46377

Best House Rental Management System 1.0 contains an arbitrary file upload vulnerability in the save_settings() function of the file rental/admin_class.php.

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2024-46376

Best House Rental Management System 1.0 contains an arbitrary file upload vulnerability in the update_account() function of the file rental/admin_class.php.

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Critical

CVE-2024-46375

Best House Rental Management System 1.0 contains an arbitrary file upload vulnerability in the signup() function of the file rental/admin_class.php.

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2024-09-13
Medium

CVE-2024-8242

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function i…

CVSS: 4.3 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-09-10
High

CVE-2024-44871

An arbitrary file upload vulnerability in the component /admin/index.php of moziloCMS v3.0 allows attackers to execute arbitrary code via uploading a crafted file.

CVSS: 7.2 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-7770

The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'uplo…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-09-09
Critical

CVE-2024-44849

Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php.

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-09-07
Medium

CVE-2024-7620

The Customizer Export/Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the '_import' function in all versions up to, and including, 0.9.7. Th…

CVSS: 6.6 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-08-28
High

CVE-2024-6311

The Funnelforms Free plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'af2_add_font' function in all versions up to, and including, 3.7.3.2. Thi…

CVSS: 7.2 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-08-23
High

CVE-2024-7559

The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the mk_file_folder_manager AJAX action in all versions u…

CVSS: 8.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2024-08-22
High

CVE-2024-42767

Kashipara Hotel Management System v1.0 is vulnerable to Unrestricted File Upload RCE via /admin/add_room_controller.php.

CVSS: 7.2 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-7384

The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the…

CVSS: 7.5 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD