Description
Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
Published: 2026-06-15
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated user can send files to the GeekyBot WordPress plugin and have them stored on the web server because the plugin does not validate file types or extensions, a weakness described as CWE‑434. No explicit confirmation exists that the uploaded files could be executed, but the mere ability to place arbitrary files in an accessible location indicates a high potential for further compromise. Based on the nature of the vulnerability, attackers might attempt to upload malicious scripts or binaries that could later be executed by a compromised user or by misconfiguration of the web server.

Affected Systems

The flaw is in the Ahmad:GeekyBot WordPress plugin, affecting all releases up to and including version 1.2.2. Site owners who have installed or are operating any version of the plugin that is 1.2.2 or older are impacted. Upgrading to version 1.2.3 or a newer release removes the vulnerability.

Risk and Exploitability

The CVSS score of 10 highlights a critical severity. Although the EPSS score is below 1 % suggesting a low current exploitation probability, the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is a remote HTTP or HTTPS request that reaches the plugin’s upload endpoint without requiring authentication, permitting the attacker to submit multipart requests and upload arbitrary files.

Generated by OpenCVE AI on June 18, 2026 at 00:57 UTC.

Remediation

Vendor Solution

Update the WordPress GeekyBot Plugin to the latest available version (at least 1.2.3).


OpenCVE Recommended Actions

  • Update the GeekyBot plugin to version 1.2.3 or later.
  • If the plugin cannot be updated immediately, configure the site to reject uploaded files that are not of known safe types (e.g., restrict to .jpg, .png) and disable the upload feature via plugin settings or a security rule.
  • Continuously monitor upload directories and web server logs for unexpected file uploads to detect potential abuse early.

Generated by OpenCVE AI on June 18, 2026 at 00:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Ahmad
Ahmad geekybot
Wordpress
Wordpress wordpress
Vendors & Products Ahmad
Ahmad geekybot
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
Title WordPress GeekyBot plugin <= 1.2.2 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Ahmad Geekybot
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T14:40:03.294Z

Reserved: 2026-04-15T09:20:36.793Z

Link: CVE-2026-40772

cve-icon Vulnrichment

Updated: 2026-06-16T14:39:59.682Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:49.873

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-40772

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:07:33Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type