CVE-2026-32536 - Vulnerability Details

Description

Unrestricted Upload of File with Dangerous Type vulnerability in halfdata Green Downloads halfdata-paypal-green-downloads allows Using Malicious Files.This issue affects Green Downloads: from n/a through <= 2.08.

Published: 2026-03-25

Score: 9.9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability allows an attacker to upload any type of file through the Green Downloads plugin on WordPress sites without validating MIME type or file extension. Because the plugin stores the uploaded files on the server, a malicious actor could place executable code or otherwise dangerous content that, once accessed, could compromise the site. The weakness is identified as CWE‑434, which represents an Input Validation vulnerability that permits the upload of dangerous files.

Affected Systems

WordPress installations that have the halfdata Green Downloads plugin version 2.08 or earlier are affected. The upload functionality of the plugin can be reached by users who have the necessary privileges in the WordPress administration interface, providing a path for an attacker to place files on the server.

Risk and Exploitability

The CVSS base score of 9.9 categorizes this flaw as critical. Although no EPSS value is available, the high severity score and the fact that the vulnerability exists in a widely used WordPress plugin suggest that exploitation is likely. The vulnerability is not listed in the CISA KEV catalog, but this does not reduce the inherent risk. Based on the description, it is inferred that the attack vector is remote exploitation through the plugin's file upload interface, which can be accessed by authenticated users with sufficient privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

halfdata

Green Downloads

unaffected

Version	Status	Constraints
`n/a`	affected	≤ <= 2.08

No data.

Vendor Product Confidence Versions

Halfdata

Stripe Green Downloads

87%

Version	Status	Scheme	Platform
`[0,2.08]`	affected	generic	—
`2.09`	unaffected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest release of the Green Downloads plugin (any version newer than 2.08) to eliminate the arbitrary file upload flaw.
If an update cannot be applied immediately, disable or remove the upload capability from the plugin or uninstall the plugin entirely to eliminate the attack vector.
Configure the server or the plugin to limit accepted file extensions to safe types such as jpg or png and reject executable files.
Implement a web application firewall rule or adjust server configuration to block uploads of disallowed extensions.
Monitor upload logs for suspicious activity and maintain alerts for unauthorized file additions.

Generated by OpenCVE AI on March 26, 2026 at 01:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/halfdata-paypal-green-downloads/vulnerability/wordpress-green-downloads-plugin-2-08-arbitrary-file-upload-vulnerability?_s_id=cve

History

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Halfdata Halfdata stripe Green Downloads Wordpress Wordpress wordpress
Vendors & Products		Halfdata Halfdata stripe Green Downloads Wordpress Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 25 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Unrestricted Upload of File with Dangerous Type vulnerability in halfdata Green Downloads halfdata-paypal-green-downloads allows Using Malicious Files.This issue affects Green Downloads: from n/a through <= 2.08.
Title		WordPress Green Downloads plugin <= 2.08 - Arbitrary File Upload vulnerability
Weaknesses		CWE-434
References		https://patchstack.com/database/Wordpress/Plugin/halfdata-paypal-green-downloads/vulnerability/wordpress-green-downloads-plugin-2-08-arbitrary-file-upload-vulnerability?_s_id=cve

Subscriptions

Halfdata Stripe Green Downloads

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-25T16:15:10.543Z

Updated: 2026-03-25T20:20:42.466Z

Reserved: 2026-03-12T11:12:24.777Z

Link: CVE-2026-32536

Vulnrichment

Updated: 2026-03-25T20:19:18.283Z

NVD

Status : Received

Published: 2026-03-25T17:17:07.293

Modified: 2026-03-25T21:16:45.867

Link: CVE-2026-32536

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-26T12:12:17Z

Weaknesses

CWE-434

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object