Description
The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2026-02-03
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The OS DataHub Maps WordPress plugin suffers from incorrect file type validation in the function OS_DataHub_Maps_Admin::add_file_and_ext. This flaw allows an authenticated user with Author-level or higher access to upload any file type to the site’s server. Once an attacker can place malicious files, they may achieve remote code execution by uploading a script or other exploitative payload. The flaw is identified as CWE‑434, which represents improper validation of file type or extension.

Affected Systems

This vulnerability affects the OS DataHub Maps plugin from skirridsystems, available in all WordPress installations up to and including version 1.8.3. Users who have installed any of these versions and have Author or higher role permissions are at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating a high severity potential for remote code execution. The EPSS score is less than 1%, suggesting that, while the flaw is serious, it is currently unlikely to be widely exploited. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires legitimate access with Author-level privileges, making it a credentialed attack; thus, the primary risk lies with internal users who have sufficient permissions.

Generated by OpenCVE AI on April 15, 2026 at 17:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the OS DataHub Maps plugin to the latest available version that removes the improper file type validation.
  • If an immediate update is not possible, disable or restrict the file upload feature so that only safely validated file types can be uploaded, such as by using WordPress file type restrictions or a dedicated security plugin.
  • Review and limit user roles—remove Author-level access from users who do not require it—to reduce the number of accounts able to upload files.

Generated by OpenCVE AI on April 15, 2026 at 17:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Skirridsystems
Skirridsystems os Datahub Maps
Wordpress
Wordpress wordpress
Vendors & Products Skirridsystems
Skirridsystems os Datahub Maps
Wordpress
Wordpress wordpress

Tue, 03 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Description The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title OS DataHub Maps <= 1.8.3 - Authenticated (Author+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Skirridsystems Os Datahub Maps
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:20:20.702Z

Reserved: 2026-01-31T19:01:42.116Z

Link: CVE-2026-1730

cve-icon Vulnrichment

Updated: 2026-02-03T15:44:57.355Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T08:16:15.180

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1730

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses