Description
Unrestricted Upload of File with Dangerous Type vulnerability in Enrico Sandoli Smallerik File Browser smallerik-file-browser allows Upload a Web Shell to a Web Server.This issue affects Smallerik File Browser: from n/a through <= 1.1.
Published: 2025-01-22
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Smallerik File Browser plugin for WordPress includes an unrestricted file upload feature that accepts dangerous file types. Attackers can upload a malicious script such as a web shell, which can be executed on the web server, giving the attacker complete control over the server's filesystem, processes, and data. This vulnerability falls under CWE‑434, Insecure File Upload, and enables both confidentiality and integrity breaches.

Affected Systems

All releases of the Smallerik File Browser plugin by Enrico Sandoli with a version number less than or equal to 1.1. The vulnerability exists for all WordPress installations that have the plugin enabled in that version range.

Risk and Exploitability

The CVSS score of 9.9 reflects the severe impact of this flaw. The EPSS score of less than 1% indicates that, at the time of analysis, the vulnerability was not frequently exploited, and it is not listed in the CISA KEV catalog. The likely attack vector is through the plugin’s upload interface, which may require administrative privileges; if users with sufficient permissions can upload files, the attacker can deliver a web shell directly to the server. Once uploaded, the script can be executed and provide remote code execution, making it a critical threat for any affected site.

Generated by OpenCVE AI on May 1, 2026 at 19:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Smallerik File Browser plugin to the latest version that resolves the arbitrary file upload flaw; if no fix is available, disable the plugin until a patch is released.
  • Configure the web server to prevent execution of files in the plugin’s upload directory (e.g., set the directory to non‑executable permissions or use .htaccess rules).
  • Enforce strict file type validation using a whitelist of allowed MIME types and reject any disallowed extensions or content types.

Generated by OpenCVE AI on May 1, 2026 at 19:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3533 Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Smallerik File Browser allows Upload a Web Shell to a Web Server. This issue affects Smallerik File Browser: from n/a through 1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Smallerik File Browser allows Upload a Web Shell to a Web Server. This issue affects Smallerik File Browser: from n/a through 1.1. Unrestricted Upload of File with Dangerous Type vulnerability in Enrico Sandoli Smallerik File Browser smallerik-file-browser allows Upload a Web Shell to a Web Server.This issue affects Smallerik File Browser: from n/a through <= 1.1.
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Wed, 22 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 14:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Smallerik File Browser allows Upload a Web Shell to a Web Server. This issue affects Smallerik File Browser: from n/a through 1.1.
Title WordPress Smallerik File Browser plugin <= 1.1 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:24.923Z

Reserved: 2025-01-16T11:32:12.976Z

Link: CVE-2025-23918

cve-icon Vulnrichment

Updated: 2025-01-22T15:32:01.970Z

cve-icon NVD

Status : Deferred

Published: 2025-01-22T15:15:25.403

Modified: 2026-04-23T15:24:46.733

Link: CVE-2025-23918

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:30:23Z

Weaknesses