Description
Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo Czech wpify-woo allows Upload a Web Shell to a Web Server.This issue affects WPify Woo Czech: from n/a through <= 5.4.1.
Published: 2026-05-27
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw stems from an unrestricted upload feature that accepts any file type, enabling attackers to upload a web shell or other malicious script. This gives an attacker the ability to execute arbitrary code on the host, potentially leading to data theft, server defacement, or further compromise. The weakness maps to CWE‑434, which describes an Unrestricted Write to File or Directory vuln.

Affected Systems

The WPify Woo Czech plugin, versions 5.4.1 and earlier, is affected. Any WordPress instance using this plugin and allowing users to upload files is vulnerable.

Risk and Exploitability

With a CVSS score of 9.9, the vulnerability is classified as critical. The EPSS score is not available, but the lack of a KEV listing does not reduce the risk to sites that expose the plugin upload interface. Attackers can exploit the flaw by submitting a malicious file through the upload form, thereby gaining remote code execution capabilities without additional privileges.

Generated by OpenCVE AI on May 27, 2026 at 11:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WPify Woo Czech to a version newer than 5.4.1 that resolves the upload issue.
  • If an immediate update is not feasible, remove the plugin or disable its upload functionality until a fix is applied.
  • Audit existing uploads for unauthorized files and quarantine any that appear to be malicious scripts.

Generated by OpenCVE AI on May 27, 2026 at 11:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpify
Wpify woo Czech
Vendors & Products Wordpress
Wordpress wordpress
Wpify
Wpify woo Czech

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo Czech wpify-woo allows Upload a Web Shell to a Web Server.This issue affects WPify Woo Czech: from n/a through <= 5.4.1.
Title WordPress WPify Woo Czech plugin <= 5.4.1 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wpify Woo Czech
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:50:18.502Z

Reserved: 2026-04-29T09:05:30.887Z

Link: CVE-2026-42748

cve-icon Vulnrichment

Updated: 2026-05-27T10:50:13.929Z

cve-icon NVD

Status : Received

Published: 2026-05-27T11:16:21.290

Modified: 2026-05-27T11:16:21.290

Link: CVE-2026-42748

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T12:45:32Z

Weaknesses