Description
The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WP_FOFT_Loader_Mimes::file_and_ext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2026-02-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file upload with potential remote code execution
Action: Immediate Patch
AI Analysis

Impact

The WP FOFT Loader plugin allows authenticated users with Author-level access to upload files to the server without proper type validation. This flaw can be leveraged to place malicious files on the site, creating a pathway for remote code execution. The weakness is a classic example of invalid file type validation (CWE-434). The result is a compromise of integrity and the possibility of executing arbitrary code on the host. The impact is immediate and severe, affecting both confidentiality and availability if the attacker gains further access.

Affected Systems

WordPress sites using the WP FOFT Loader plugin from the vendor seezee. Any installation of the plugin up to and including version 2.1.39 is susceptible. Sites that have not upgraded beyond this version remain at risk.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. The attack vector is authenticated; an attacker must have Author or higher access to the WordPress site to exploit the flaw. Once authenticated, the attacker can upload arbitrary files, potentially leading to remote code execution if other conditions are satisfied.

Generated by OpenCVE AI on April 15, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP FOFT Loader to a version newer than 2.1.39 to apply the vendor‑released fix for the file type validation bug.
  • If an upgrade is not immediately possible, restrict or disable the Author capability to upload files, or temporarily deactivate the plugin to prevent the upload functionality.
  • Implement additional server‑side validation or a security plugin that blocks disallowed file types and monitors for uploaded files to mitigate the exploitation risk.

Generated by OpenCVE AI on April 15, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 04 Feb 2026 07:00:00 +0000

Type Values Removed Values Added
Description The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WP_FOFT_Loader_Mimes::file_and_ext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title WP FOFT Loader <= 2.1.39 - Authenticated (Author+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:32.763Z

Reserved: 2026-02-02T10:22:57.700Z

Link: CVE-2026-1756

cve-icon Vulnrichment

Updated: 2026-02-04T16:59:54.618Z

cve-icon NVD

Status : Deferred

Published: 2026-02-04T07:15:59.267

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1756

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:00:12Z

Weaknesses