Description
WordPress Plugin WP Super Edit 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component that allows attackers to upload dangerous file types without validation. Attackers can upload arbitrary files through the filemanager upload endpoint to achieve remote code execution and complete system compromise.
Published: 2026-05-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Plugin WP Super Edit through version 2.5.4 allows arbitrary files to be uploaded without type validation. This flaw, classified as CWE-434 Unrestricted Upload of File with Dangerous Type, enables an attacker that can reach the filemanager upload endpoint to place executable code on the web server, leading to remote code execution and a full compromise of the affected site.

Affected Systems

The vulnerability affects WordPress sites running the WP Super Edit plugin version 2.5.4 or older. Any site that has installed or enabled this component and has the generic WordPress installation is potentially exposed, regardless of its content management or theme configuration.

Risk and Exploitability

The CVSS score of 9.3 signals a critically severe issue and, despite an unavailable EPSS score, the ease of uploading files indicates a high likelihood of exploitation in environments where the plugin is active. The vulnerability is not listed in the CISA KEV catalog, but the remote code execution potential remains a top priority. Attackers can achieve compromise by sending a crafted upload request through the plugin’s filemanager endpoint, typically after authenticating as an administrator or exploiting a bypass that permits unauthenticated uploads.

Generated by OpenCVE AI on May 15, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Super Edit to the latest version that addresses the unrestricted upload flaw
  • If an upgrade is not immediately possible, remove or completely uninstall the WP Super Edit plugin to eliminate the vulnerable component
  • Configure web server or application firewall rules to reject file uploads that do not match an explicitly allowed set of MIME types and file extensions, providing an additional layer of protection

Generated by OpenCVE AI on May 15, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description WordPress Plugin WP Super Edit 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component that allows attackers to upload dangerous file types without validation. Attackers can upload arbitrary files through the filemanager upload endpoint to achieve remote code execution and complete system compromise.
Title WordPress Plugin WP Super Edit 2.5.4 Unrestricted File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-15T20:10:17.554Z

Reserved: 2026-05-15T16:35:45.714Z

Link: CVE-2021-47965

cve-icon Vulnrichment

Updated: 2026-05-15T20:10:03.401Z

cve-icon NVD

Status : Received

Published: 2026-05-15T19:16:56.163

Modified: 2026-05-15T19:16:56.163

Link: CVE-2021-47965

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T20:30:06Z

Weaknesses