Description
WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file upload form in the plugin directory to execute arbitrary code on the server.
Published: 2026-06-08
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Background Image Cropper version 1.2 contains a remote code execution flaw that lets an attacker upload any file type through the ups.php endpoint. The vulnerability enables the upload of PHP scripts which the web server then executes, providing full control over the site. This weakness falls under CWE‑434, Unrestricted Upload of File With Dangerous Type, and allows attackers to compromise the integrity and confidentiality of the affected server without authentication.

Affected Systems

The flaw affects the Background Image Cropper plugin for WordPress, specifically version 1.2. No additional vendor or version information is available.

Risk and Exploitability

With a CVSS score of 9.3 the vulnerability is considered critical. The EPSS score is not provided, and the flaw is not listed in CISA’s KEV catalog, but the combination of unauthenticated access and the ability to execute code makes it highly exploitable. Attackers can directly target the plugin’s ups.php upload form to submit malicious PHP files and gain remote command execution on the host.

Generated by OpenCVE AI on June 8, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Background Image Cropper plugin or remove it if not required.
  • Restrict file uploads to safe MIME types and file extensions, rejecting PHP and other executable scripts.
  • Configure the web server so that the plugin’s upload directory does not allow execution of uploaded files (e.g., use .htaccess Deny from all or disable PHP execution in that folder).
  • Continuously monitor the site’s logs for suspicious upload activity and anomalous behavior.

Generated by OpenCVE AI on June 8, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Background-image-cropper
Background-image-cropper background Image Cropper
Wordpress
Wordpress wordpress
Vendors & Products Background-image-cropper
Background-image-cropper background Image Cropper
Wordpress
Wordpress wordpress

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file upload form in the plugin directory to execute arbitrary code on the server.
Title WordPress Background Image Cropper 1.2 Remote Code Execution
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Background-image-cropper Background Image Cropper
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-08T13:37:35.169Z

Reserved: 2026-06-05T18:13:45.903Z

Link: CVE-2024-58348

cve-icon Vulnrichment

Updated: 2026-06-08T13:37:30.385Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T02:16:23.267

Modified: 2026-06-08T14:59:44.750

Link: CVE-2024-58348

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:57:40Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type