Vulnerabilities and security researches forwp-file-upload wp-file-upload

Direction: descending

May 07, 2025

WordPress File Upload # CVE-2024-6494

CVE, Research URL: CVE-2024-6494
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Aug 07, 2024
Research Description: The WordPress File Upload WordPress plugin before 4.24.8 does not properly sanitize and escape certain parameters, which could allow unauthenticated users to execute stored cross-site scripting (XSS) attacks.
Affected versions: Min -, max -.
Status: vulnerable

Feb 27, 2025

WordPress File Upload # CVE-2024-13494

CVE, Research URL: CVE-2024-13494
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Feb 25, 2025
Research Description: The WordPress File Upload plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.25.2. This is due to missing or incorrect nonce validation on the 'wfu_file_details' function. This makes it possible for unauthenticated attackers to modify user data details associated with uploaded files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable

Jan 09, 2025

WordPress File Upload # CVE-2024-9939

CVE, Research URL: CVE-2024-9939
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Jan 08, 2025
Research Description: The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.13 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read files outside of the originally intended directory.
Affected versions: Min -, max -.
Status: vulnerable

WordPress File Upload # CVE-2024-11613

CVE, Research URL: CVE-2024-11613
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Jan 08, 2025
Research Description: The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion in all versions up to, and including, 4.24.15 via the 'wfu_file_downloader.php' file. This is due to lack of proper sanitization of the 'source' parameter and allowing a user-defined directory path. This makes it possible for unauthenticated attackers to execute code on the server.
Affected versions: Min -, max -.
Status: vulnerable

WordPress File Upload # CVE-2024-11635

CVE, Research URL: CVE-2024-11635
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Jan 08, 2025
Research Description: The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the 'wfu_ABSPATH' cookie parameter. This makes it possible for unauthenticated attackers to execute code on the server.
Affected versions: Min -, max -.
Status: vulnerable

Jan 08, 2025

WordPress File Upload # CVE-2024-12719

CVE, Research URL: CVE-2024-12719
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Jan 07, 2025
Research Description: The WordPress File Upload plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wfu_ajax_action_read_subfolders' function in all versions up to, and including, 4.24.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform limited path traversal to view directories and subdirectories in WordPress. Files cannot be viewed.
Affected versions: Min -, max -.
Status: vulnerable

Oct 13, 2024

WordPress File Upload # CVE-2024-9047

CVE, Research URL: CVE-2024-9047
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Oct 12, 2024
Research Description: The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier.
Affected versions: Min -, max -.
Status: vulnerable

Aug 17, 2024

WordPress File Upload # CVE-2024-7301

CVE, Research URL: CVE-2024-7301
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Aug 16, 2024
Research Description: The WordPress File Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.24.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Affected versions: Min -, max -.
Status: vulnerable

Aug 08, 2024

WordPress File Upload # CVE-2024-6651

CVE, Research URL: CVE-2024-6651
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Aug 06, 2024
Research Description: The WordPress File Upload WordPress plugin before 4.24.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Affected versions: Min -, max -.
Status: vulnerable

Aug 05, 2024

WordPress File Upload # CVE-2024-39639

CVE, Research URL: CVE-2024-39639
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Nov 01, 2024
Research Description: Broken Access Control vulnerability in Nickolas Bossinas WordPress File Upload allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress File Upload: from n/a through 4.24.7.
Affected versions: Min -, max -.
Status: vulnerable

Jul 16, 2024

WordPress File Upload # CVE-2024-5852

CVE, Research URL: CVE-2024-5852
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Jul 16, 2024
Research Description: The WordPress File Upload plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.24.7 via the 'uploadpath' parameter of the wordpress_file_upload shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload limited files to arbitrary locations on the web server.
Affected versions: Min -, max -.
Status: vulnerable

Jun 07, 2024

WordPress File Upload # CVE-2015-9338

CVE, Research URL: CVE-2015-9338
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Aug 23, 2019
Research Description: The wp-file-upload plugin before 2.5.0 for WordPress has insufficient restrictions on upload of .php files.
Affected versions: Min -, max -.
Status: vulnerable

WordPress File Upload # CVE-2020-10564

CVE, Research URL: CVE-2020-10564
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Mar 14, 2020
Research Description: An issue was discovered in the File Upload plugin before 4.13.0 for WordPress. A directory traversal can lead to remote code execution by uploading a crafted txt file into the lib directory, because of a wfu_include_lib call.
Affected versions: Min -, max -.
Status: vulnerable

WordPress File Upload # CVE-2014-5199

CVE, Research URL: CVE-2014-5199
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Aug 13, 2014
Research Description: Cross-site request forgery (CSRF) vulnerability in the WordPress File Upload plugin (wp-file-upload) before 2.4.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors. NOTE: some of these details are obtained from third party information.
Affected versions: Min -, max -.
Status: vulnerable

WordPress File Upload # CVE-2021-24961

CVE, Research URL: CVE-2021-24961
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Mar 07, 2022
Research Description: The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks
Affected versions: Min -, max -.
Status: vulnerable

WordPress File Upload # CVE-2015-9339

CVE, Research URL: CVE-2015-9339
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Aug 23, 2019
Research Description: The wp-file-upload plugin before 2.7.1 for WordPress has insufficient restrictions on upload of .js files.
Affected versions: Min -, max -.
Status: vulnerable

WordPress File Upload # CVE-2023-2688

CVE, Research URL: CVE-2023-2688
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Jun 09, 2023
Research Description: The WordPress File Upload and WordPress File Upload Pro plugins for WordPress are vulnerable to Path Traversal in versions up to, and including, 4.19.1 via the vulnerable parameter wfu_newpath. This allows administrator-level attackers to move files uploaded with the plugin (located in wp-content/uploads by default) outside of the web root.
Affected versions: Min -, max -.
Status: vulnerable

WordPress File Upload # CVE-2015-9341

CVE, Research URL: CVE-2015-9341
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Aug 23, 2019
Research Description: The wp-file-upload plugin before 3.4.1 for WordPress has insufficient restrictions on upload of .php.js files.
Affected versions: Min -, max -.
Status: vulnerable

WordPress File Upload # CVE-2015-9340

CVE, Research URL: CVE-2015-9340
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Aug 23, 2019
Research Description: The wp-file-upload plugin before 3.0.0 for WordPress has insufficient restrictions on upload of php, js, pht, php3, php4, php5, phtml, htm, html, and htaccess files.
Affected versions: Min -, max -.
Status: vulnerable

WordPress File Upload # CVE-2018-9844

CVE, Research URL: CVE-2018-9844
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Apr 07, 2018
Research Description: The Iptanus WordPress File Upload plugin before 4.3.4 for WordPress mishandles Settings attributes, leading to XSS.
Affected versions: Min -, max -.
Status: vulnerable

WordPress File Upload # CVE-2018-9172

CVE, Research URL: CVE-2018-9172
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Apr 02, 2018
Research Description: The Iptanus WordPress File Upload plugin before 4.3.3 for WordPress mishandles shortcode attributes.
Affected versions: Min -, max -.
Status: vulnerable

WordPress File Upload # CVE-2023-4811

CVE, Research URL: CVE-2023-4811
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Oct 17, 2023
Research Description: The WordPress File Upload WordPress plugin before 4.23.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks.
Affected versions: Min -, max -.
Status: vulnerable

WordPress File Upload # CVE-2021-24962

CVE, Research URL: CVE-2021-24962
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Mar 28, 2022
Research Description: The WordPress File Upload Free and Pro WordPress plugins before 4.16.3 allow users with a role as low as Contributor to perform path traversal via a shortcode argument, which can then be used to upload a PHP code disguised as an image inside the auto-loaded directory of the plugin, resulting in arbitrary code execution.
Affected versions: Min -, max -.
Status: vulnerable

WordPress File Upload # CVE-2023-2767

CVE, Research URL: CVE-2023-2767
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Jun 09, 2023
Research Description: The WordPress File Upload and WordPress File Upload Pro plugins for WordPress are vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 4.19.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: Min -, max -.
Status: vulnerable

WordPress File Upload # CVE-2021-24960

CVE, Research URL: CVE-2021-24960
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Mar 07, 2022
Research Description: The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks
Affected versions: Min -, max -.
Status: vulnerable

WordPress File Upload # CVE-2014-125110

CVE, Research URL: CVE-2014-125110
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Apr 01, 2024
Research Description: A vulnerability has been found in wp-file-upload Plugin up to 2.4.3 on WordPress and classified as problematic. Affected by this vulnerability is the function wfu_ajax_action_callback of the file lib/wfu_ajaxactions.php. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 2.4.4 is able to address this issue. The identifier of the patch is c846327df030a0a97da036a2f07c769ab9284ddb. It is recommended to upgrade the affected component. The identifier VDB-258781 was assigned to this vulnerability.
Affected versions: Min -, max -.
Status: vulnerable

WordPress File Upload # CVE-2024-2847

CVE, Research URL: CVE-2024-2847
Home page URL: Security reports for WordPress File Upload
Application: WordPress File Upload
Date: Apr 10, 2024
Research Description: The WordPress File Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.24.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable