Description
Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Gallery fw-gallery allows Using Malicious Files.This issue affects FW Gallery: from n/a through <= 8.0.0.
Published: 2025-07-04
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description of an Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b FW Gallery, it is likely that authentication is not required to upload files of dangerous types. An attacker can upload a malicious script or binary to the server’s upload directory, potentially executing code in the context of the web application. This flaw could allow attackers to compromise sensitive data, hijack user sessions, or install persistent backdoors, thereby enabling full control over the affected WordPress site.

Affected Systems

Fastw3b LLC’s FW Gallery plugin for WordPress, versions from the initial release through 8.0.0, is affected. Site owners running any < 8.0.1 installation of the plugin are vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 10, indicating critical severity. The current EPSS score is less than 1%, suggesting that while exploitation is theoretically easy, incidents are rare at present. It is not listed in the CISA KEV catalog. Attackers could remotely exploit the upload functionality, likely via the web interface, though this is inferred from the term ‘Unrestricted Upload’. The statement that the risk surface is wide for publicly exposed sites is also inferred, as the CVE does not explicitly mention site exposure.

Generated by OpenCVE AI on April 30, 2026 at 16:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the FW Gallery plugin to the latest released version (>= 8.0.1).
  • If an update is unavailable, reconfigure the plugin or server to accept only safe file types and store uploads outside the web root to prevent execution.
  • If immediate update or reconfiguration is not possible, deactivate or uninstall the plugin to eliminate the attack vector.

Generated by OpenCVE AI on April 30, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-20008 Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Gallery allows Using Malicious Files. This issue affects FW Gallery: from n/a through 8.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Gallery allows Using Malicious Files. This issue affects FW Gallery: from n/a through 8.0.0. Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Gallery fw-gallery allows Using Malicious Files.This issue affects FW Gallery: from n/a through <= 8.0.0.
Title WordPress FW Gallery <= 8.0.0 - Arbitrary File Upload Vulnerability WordPress FW Gallery plugin <= 8.0.0 - Arbitrary File Upload Vulnerability
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Tue, 08 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 11:30:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Gallery allows Using Malicious Files. This issue affects FW Gallery: from n/a through 8.0.0.
Title WordPress FW Gallery <= 8.0.0 - Arbitrary File Upload Vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:03.919Z

Reserved: 2025-06-04T15:44:12.382Z

Link: CVE-2025-49414

cve-icon Vulnrichment

Updated: 2025-07-08T13:59:33.161Z

cve-icon NVD

Status : Deferred

Published: 2025-07-04T12:15:30.817

Modified: 2026-04-23T15:31:38.430

Link: CVE-2025-49414

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:00:15Z

Weaknesses