CVE-2024-13091 – WPBot Pro Wordpress Chatbot <= 13.5.4 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-13091
21 Jan 2025 — The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'qcld_wpcfb_file_upload' function in all versions up to, and including, 13.5.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-13333 – Advanced File Manager 5.2.12 - 5.2.13 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-13333
16 Jan 2025 — The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fma_local_file_system' function in versions 5.2.12 to 5.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above and upload permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/file-manager-advanced/trunk/application/class_fma_connector.php?rev=3200092#L78 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2025-23562 – XLSXviewer <= 2.1.1 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-23562
16 Jan 2025 — The XLSXviewer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 2.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2025-23918 – Smallerik File Browser <= 1.1 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-23918
16 Jan 2025 — The Smallerik File Browser plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2025-23921 – Multi Uploader for Gravity Forms <= 1.1.3 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-23921
16 Jan 2025 — The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.1.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2025-23942 – WP Load Gallery <= 2.1.6 - Authenticated (Author+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-23942
16 Jan 2025 — The WP Load Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.1.6. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2025-23953 – user files <= 2.4.2 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-23953
16 Jan 2025 — The user files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.4.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2025-22782 – WordPress WR Price List Manager For Woocommerce plugin <= 1.0.8 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2025-22782
15 Jan 2025 — Unrestricted Upload of File with Dangerous Type vulnerability in Web Ready Now WR Price List Manager For Woocommerce allows Upload a Web Shell to a Web Server.This issue affects WR Price List Manager For Woocommerce: from n/a through 1.0.8. • https://patchstack.com/database/wordpress/plugin/wr-price-list-for-woocommerce/vulnerability/wordpress-wr-price-list-manager-for-woocommerce-plugin-1-0-8-remote-code-execution-rce-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-13355 – Admin and Customer Messages After Order for WooCommerce <= 13.2 - Authenticated (Subscriber+) Limited File Upload to Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-13355
15 Jan 2025 — The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to limited file uploads due to insufficient file type validation in the upload_file() function in all versions up to, and including, 13.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload files on the affected site's server which may make remote code execution possible and is confirmed to make Cross-Site Scripting possible. El complemen... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3222601%40admin-and-client-message-after-order-for-woocommerce&new=3222601%40admin-and-client-message-after-order-for-woocommerce&sfp_email=&sfph_mail= • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2025-22723 – WordPress Barcode Scanner and Inventory manager plugin <= 1.6.7 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-22723
15 Jan 2025 — The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.6.7. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders/vulnerability/wordpress-barcode-scanner-and-inventory-manager-plugin-1-6-7-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •