cleantalk
Vulnerabilities and Security Researches

Administrator Z, 658bc68d240cbff2bb311b2eece6e3a3beefea33

CVE, Research URL

658bc68d240cbff2bb311b2eece6e3a3beefea33

Home page URL

Security reports for Administrator Z

Application

Administrator Z

Published on
Nov 02, 2022
Research Description
Administrator Z [administrator-z] < 2022.9.29 Administrator Z <= 2022.9.28 - Unauthorized File Upload via ACF The Administrator Z plugin for WordPress uses Advanced Custom Fields which has a file upload vulnerability in versions up to, and including, 5.12.2. This makes it possible for users without the upload_files capability, such as contributors, or unauthenticated users in cases where a frontend form is added to the site, to upload allowed file types. The upload is handled by WordPress so file type and extension checks still occur, though this could potentially be used by high-privileged users in certain locked-down configurations to bypass other security mechanisms and upload dangerous file types. This affects versions up to, and including, 2022.9.28 in the Administrator Z plugin.
Affected versions
Min -, max 2022.9.29.
Status
vulnerable
Previous vulnerability researches
Administrator Z (CVE-2025-2815) , Apr 03, 2025
Administrator Z (658bc68d240cbff2bb311b2eece6e3a3beefea33) , Jun 07, 2024
Administrator Z (CVE-2025-32187) , Apr 06, 2025
Administrator Z (CVE-2025-32276) , Apr 06, 2025
Administrator Z (CVE-2024-50524) , Nov 03, 2024
New vulnerability
Verowa Connect (CVE-2025-32676) , Apr 11, 2025
YouTube Embed (CVE-2025-31008) , Apr 11, 2025
Multiple Location Google Map (CVE-2025-32617) , Apr 11, 2025
Accredible Certificates &amp; Open Badges (CVE-2024-13909) , Apr 11, 2025
Simple Spoiler (CVE-2025-31020) , Apr 11, 2025