Description
The Easy Upload Files During Checkout plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.0.1. This is due to missing authorization checks in the ufdc_custom_init() function, which processes the 'eufdc-delete' parameter without any nonce verification, capability check, or attachment ownership validation. This makes it possible for unauthenticated attackers to permanently delete arbitrary media library attachments from the WordPress site.
Published: 2026-07-10
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description The Easy Upload Files During Checkout plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.0.1. This is due to missing authorization checks in the ufdc_custom_init() function, which processes the 'eufdc-delete' parameter without any nonce verification, capability check, or attachment ownership validation. This makes it possible for unauthenticated attackers to permanently delete arbitrary media library attachments from the WordPress site.
Title Easy Upload Files During Checkout <= 3.0.1 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion via 'eufdc-delete' Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-10T07:48:42.690Z

Reserved: 2026-04-21T14:52:47.934Z

Link: CVE-2026-6802

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key