Unknown Wordpress File Upload vulnerabilities
6 known vulnerabilities affecting unknown/wordpress_file_upload.
Total CVEs
6
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM5
Vulnerabilities
Page 1 of 1
CVE-2024-6494MEDIUMCVSS 6.1fixed in 4.24.82024-08-07
CVE-2024-6494 [MEDIUM] CWE-79 CVE-2024-6494: The WordPress File Upload WordPress plugin before 4.24.8 does not properly sanitize and escape certa
The WordPress File Upload WordPress plugin before 4.24.8 does not properly sanitize and escape certain parameters, which could allow unauthenticated users to execute stored cross-site scripting (XSS) attacks.
cvelistv5nvd
CVE-2024-6651MEDIUMCVSS 6.1PoCfixed in 4.24.82024-08-06
CVE-2024-6651 [MEDIUM] CWE-79 CVE-2024-6651: The WordPress File Upload WordPress plugin before 4.24.8 does not sanitise and escape a parameter be
The WordPress File Upload WordPress plugin before 4.24.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
cvelistv5nvd
CVE-2023-4811MEDIUMCVSS 5.4fixed in 4.23.32023-10-16
CVE-2023-4811 [MEDIUM] CWE-79 CVE-2023-4811: The WordPress File Upload WordPress plugin before 4.23.3 does not sanitise and escape some of its se
The WordPress File Upload WordPress plugin before 4.23.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks.
cvelistv5nvd
CVE-2021-24962HIGHCVSS 8.8≥ 4.16.3, < 4.16.32022-03-28
CVE-2021-24962 [HIGH] CWE-22 CVE-2021-24962: The WordPress File Upload Free and Pro WordPress plugins before 4.16.3 allow users with a role as lo
The WordPress File Upload Free and Pro WordPress plugins before 4.16.3 allow users with a role as low as Contributor to perform path traversal via a shortcode argument, which can then be used to upload a PHP code disguised as an image inside the auto-loaded directory of the plugin, resulting in arbitrary code execution.
cvelistv5nvd
CVE-2021-24961MEDIUMCVSS 5.4≥ 4.16.3, < 4.16.32022-03-07
CVE-2021-24961 [MEDIUM] CWE-79 CVE-2021-24961: The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin
The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks
cvelistv5nvd
CVE-2021-24960MEDIUMCVSS 5.4≥ 4.16.3, < 4.16.32022-03-07
CVE-2021-24960 [MEDIUM] CWE-434 CVE-2021-24960: The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin
The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks
cvelistv5nvd