Description
Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla Hospital Management System allows Upload a Web Shell to a Web Server. This issue affects Hospital Management System: from 47.0(20 through 11.
Published: 2025-05-23
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability enables an attacker to upload files of any type, including web shells, to the WordPress server. Once uploaded, the attacker can execute code as the web server, enabling full control over the compromised site and potential lateral movement. This represents a classic arbitrarily dangerous type upload flaw (CWE‑434) with severe confidentiality, integrity and availability implications.

Affected Systems

The flaw is present in the WordPress Hospital Management System plugin from mojoomla, affecting version 47.0 and earlier. Sites hosting this plugin are at risk when the upload mechanism remains accessible.

Risk and Exploitability

The CVSS score of 9.9 reflects a critical severity and indicates that a network attacker can exploit the flaw remotely. The EPSS score of less than 1% suggests that, as of the latest data, exploitation is not highly prevalent in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is a web‑based file upload request sent to the plugin’s upload endpoint; when accessed by an attacker, it permits uploading a malicious file that then executes on the server.

Generated by OpenCVE AI on April 30, 2026 at 12:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Hospital Management System plugin to a version newer than 47.0, ensuring the fix is applied
  • If an upgrade cannot be performed immediately, disable the upload capability of the plugin or relocate its directory outside the web root to prevent execution of uploaded files
  • Configure server‑side validation to accept only trusted file types and MIME types, rejecting all others, and consider adding a WAF rule that blocks suspicious upload attempts

Generated by OpenCVE AI on April 30, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28113 Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla Hospital Management System allows Upload a Web Shell to a Web Server. This issue affects Hospital Management System: from 47.0(20 through 11.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla Hospital Management System hospital-management allows Upload a Web Shell to a Web Server.This issue affects Hospital Management System: from n/a through <= 47.0(20-11-2023). Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla Hospital Management System allows Upload a Web Shell to a Web Server. This issue affects Hospital Management System: from 47.0(20 through 11.
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla Hospital Management System allows Upload a Web Shell to a Web Server. This issue affects Hospital Management System: from 47.0(20 through 11. Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla Hospital Management System hospital-management allows Upload a Web Shell to a Web Server.This issue affects Hospital Management System: from n/a through <= 47.0(20-11-2023).
References

Tue, 27 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla Hospital Management System allows Upload a Web Shell to a Web Server. This issue affects Hospital Management System: from 47.0(20 through 11.
Title WordPress Hospital Management System plugin <= 47.0(20-11-2023) - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Hospital Management System Hospital Management System
Hospital Management System Project Hospital Management System
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:49.615Z

Reserved: 2025-05-07T10:45:20.229Z

Link: CVE-2025-47663

cve-icon Vulnrichment

Updated: 2025-05-27T14:19:47.151Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:42.353

Modified: 2026-04-28T19:32:31.833

Link: CVE-2025-47663

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T12:30:16Z

Weaknesses