Description
WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious files by exploiting the custom fields functionality. Attackers can upload PHP shells through the Products tab custom file field and access them via the upcp-product-file-uploads directory to execute arbitrary code on the server.
Published: 2026-06-15
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an arbitrary file upload (CWE-863) that enables authenticated users with contributor, editor, author, or administrator roles to upload malicious files, such as PHP shells, via the Products tab custom field. Once the file is stored in the upcp-product-file-uploads directory, an attacker can access it and execute arbitrary code on the server, effectively gaining full control over the site and the underlying infrastructure.

Affected Systems

Ultimate Product Catalog by Etoilewebdesign version 3.8.6 is affected.

Risk and Exploitability

With a CVSS score of 8.7 and an EPSS score of < 1%, the finding is classified as high severity. The vulnerability is not listed in the CISA KEV catalog, but the nature of the flaw—allowing code upload and execution once authenticated—poses a significant risk. An attacker who has legitimate or compromised credentials with at least contributor level access can exploit the vulnerability by uploading a PHP shell to the protected directory and then accessing it to run arbitrary commands.

Generated by OpenCVE AI on June 18, 2026 at 03:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Ultimate Product Catalog to the latest version that fixes the arbitrary file upload permissions by disabling custom file fields for contributors, editors, and authors, and allow only administrators to upload files.
  • Configure the web server so that the upcp-product-file-uploads directory does not execute PHP files or set it to read‑only.
  • Deploy a web application firewall rule to block execution of uploaded files in the upcp-product-file-uploads directory.

Generated by OpenCVE AI on June 18, 2026 at 03:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Etoilewebdesign
Etoilewebdesign ultimate Product Catalog
Wordpress
Wordpress wordpress
Vendors & Products Etoilewebdesign
Etoilewebdesign ultimate Product Catalog
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious files by exploiting the custom fields functionality. Attackers can upload PHP shells through the Products tab custom file field and access them via the upcp-product-file-uploads directory to execute arbitrary code on the server.
Title WordPress Ultimate Product Catalog 3.8.6 Arbitrary File Upload RCE
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Etoilewebdesign Ultimate Product Catalog
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T19:24:34.844Z

Reserved: 2026-06-15T11:43:07.416Z

Link: CVE-2016-20075

cve-icon Vulnrichment

Updated: 2026-06-15T15:33:45.672Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T14:16:30.803

Modified: 2026-06-15T20:50:47.973

Link: CVE-2016-20075

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T03:45:05Z

Weaknesses