Description
Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla WPAMS apartment-management allows Upload a Web Shell to a Web Server.This issue affects WPAMS: from n/a through <= 44.0 (17-08-2023).
Published: 2025-05-19
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WPAMS apartment‑management plugin for WordPress contains an unrestricted file upload feature that accepts any file type. An attacker can exploit this flaw to upload a malicious web shell, which then grants the ability to execute arbitrary code on the web server. This weakness is classified as Unrestricted Upload of File with Dangerous Type (CWE‑434).

Affected Systems

The vulnerability affects the WPAMS plugin developed by mojoomla. All installations of the plugin from the unknown initial release through version 44.0 (release date 17‑08‑2023) are impacted; no other products or vendors are specifically mentioned.

Risk and Exploitability

The CVSS score of 9.9 marks the flaw as critical, though the EPSS score of < 1% indicates a very low probability that it will be exploited in the near term. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack can be carried out remotely via any accessible upload interface, so the likely vector is web‑based. An attacker who can reach the upload form, whether through legitimate or compromised credentials, can upload a web shell and potentially gain full control over the host.

Generated by OpenCVE AI on May 1, 2026 at 08:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPAMS plugin to a patched version that addresses the upload flaw.
  • If an immediate upgrade is not possible, configure the web server or application to deny execution of files in the upload directory and restrict accepted file types to only safe MIME types.
  • Deploy a web‑application firewall or custom script that detects common web shell signatures and blocks their execution.

Generated by OpenCVE AI on May 1, 2026 at 08:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15766 Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla WPAMS allows Upload a Web Shell to a Web Server.This issue affects WPAMS: from n/a through 44.0 (17-08-2023).
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla WPAMS allows Upload a Web Shell to a Web Server.This issue affects WPAMS: from n/a through 44.0 (17-08-2023). Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla WPAMS apartment-management allows Upload a Web Shell to a Web Server.This issue affects WPAMS: from n/a through <= 44.0 (17-08-2023).
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Mon, 19 May 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 19:30:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla WPAMS allows Upload a Web Shell to a Web Server.This issue affects WPAMS: from n/a through 44.0 (17-08-2023).
Title WordPress WPAMS plugin <= 44.0 (17-08-2023) - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Mojoomla Wpams Plugin
Wordpress Worpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:30.150Z

Reserved: 2025-04-16T06:22:51.799Z

Link: CVE-2025-39402

cve-icon Vulnrichment

Updated: 2025-05-19T21:13:12.249Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T20:15:25.433

Modified: 2026-04-23T15:29:29.170

Link: CVE-2025-39402

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:30:12Z

Weaknesses