Description
Unrestricted Upload of File with Dangerous Type vulnerability in WP Chill Filr filr-protection allows Upload a Web Shell to a Web Server.This issue affects Filr: from n/a through <= 1.2.14.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file upload allowing web shell deployment, leading to remote code execution
Action: Immediate Update
AI Analysis

Impact

The vulnerability permits an attacker to upload any file type, including executable web shells, to a WordPress site. This flaw originates from insufficient file type validation (CWE-434) and, if a malicious script is uploaded, can result in remote code execution, compromising the confidentiality, integrity, and availability of the affected system.

Affected Systems

WP Chill Filr plugin, versions n/a through 1.2.14, installed on WordPress websites.

Risk and Exploitability

With a CVSS score of 8.1, the flaw is considered high severity. The EPSS score of less than 1% suggests exploitation is currently unlikely, yet the presence of an unauthenticated upload interface indicates that a remote attacker could exploit it by simply sending a specially crafted request to the plugin’s upload endpoint. The vulnerability is not listed in CISA’s KEV catalog, but the potential for remote code execution warrants proactive mitigation.

Generated by OpenCVE AI on April 15, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Filr plugin version (1.2.15 or newer) where the upload validation has been tightened.
  • If an upgrade is not possible, disable or remove the Filr plugin entirely to eliminate the upload vector.
  • If the plugin must remain, configure the web server or a WAF to block execution of any uploaded files (e.g., deny PHP, .exe, or other executable extensions in the upload directory).

Generated by OpenCVE AI on April 15, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in WP Chill Filr filr-protection allows Upload a Web Shell to a Web Server.This issue affects Filr: from n/a through <= 1.2.12. Unrestricted Upload of File with Dangerous Type vulnerability in WP Chill Filr filr-protection allows Upload a Web Shell to a Web Server.This issue affects Filr: from n/a through <= 1.2.14.
Title WordPress Filr plugin <= 1.2.12 - Arbitrary File Upload vulnerability WordPress Filr plugin <= 1.2.14 - Arbitrary File Upload vulnerability

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Chill
Wp Chill filr
Vendors & Products Wordpress
Wordpress wordpress
Wp Chill
Wp Chill filr

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in WP Chill Filr filr-protection allows Upload a Web Shell to a Web Server.This issue affects Filr: from n/a through <= 1.2.12.
Title WordPress Filr plugin <= 1.2.12 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References

Subscriptions

Wordpress Wordpress
Wp Chill Filr
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:49.358Z

Reserved: 2026-02-25T12:14:18.579Z

Link: CVE-2026-28133

cve-icon Vulnrichment

Updated: 2026-03-11T16:00:25.217Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:48.060

Modified: 2026-04-01T15:22:57.697

Link: CVE-2026-28133

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:00:06Z

Weaknesses