Description
The Gerador de Certificados – DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile() function in all versions up to, and including, 1.3.6. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2026-04-08
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The plugin Gerador de Certificados – DevApps for WordPress contains an arbitrary file upload vulnerability because the moveUploadedFile() function does not validate file types. Attackers who can authenticate with Administrator or higher privileges can upload any file to the server, and by placing a web‑accessible script, may achieve remote code execution. The flaw represents a classic file upload weakness (CWE‑434) and compromises the integrity and potential confidentiality of the site.

Affected Systems

The vulnerability affects the WordPress plugin Gerador de Certificados – DevApps from the vendor tidevapps, in all releases up to and including version 1.3.6. Users running these or earlier versions are exposed.

Risk and Exploitability

The CVSS base score of 7.2 indicates a moderate to high severity when the conditions are met. The exploit requires authenticated access with Administrator privileges, making the attack vector internal and limited to privileged users. No public exploit indicators or KEV listing are currently available, and EPSS data is missing, so the likelihood of exploitation today is uncertain, but the potential for serious impact remains if an administrator can be coerced or compromised.

Generated by OpenCVE AI on April 8, 2026 at 08:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Gerador de Certificados – DevApps plugin to version 1.3.7 or later, if available.
  • If no newer version exists, consider uninstalling the plugin until a patch is released.
  • Ensure that only trusted administrators have access to the WordPress admin area, and enforce least‑privilege principles.
  • As an interim measure, restrict the maximum upload size and configure the server to block execution of uploaded files in the upload directory.

Generated by OpenCVE AI on April 8, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Tidevapps
Tidevapps gerador De Certificados – Devapps
Wordpress
Wordpress wordpress
Vendors & Products Tidevapps
Tidevapps gerador De Certificados – Devapps
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Gerador de Certificados – DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile() function in all versions up to, and including, 1.3.6. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Gerador de Certificados – DevApps <= 1.3.6 - Authenticated (Administrator+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Tidevapps Gerador De Certificados – Devapps
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:59.542Z

Reserved: 2026-03-25T12:34:19.415Z

Link: CVE-2026-4808

cve-icon Vulnrichment

Updated: 2026-04-08T14:19:09.594Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T07:16:22.517

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-4808

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:43:42Z

Weaknesses