CVE-2026-9227 - Vulnerability Details

- GutenBee <= 2.20.1 - Authenticated (Author+) Arbitrary File Upload via wp_check_filetype_and_ext Filter

Description

The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbee_file_and_ext_json function. This is due to a flawed strpos() substring check that only verifies whether the filename contains the string '.json' rather than confirming the filename ends with a .json extension, allowing double-extension filenames like shell.json.php to bypass validation. This makes it possible for authenticated attackers, with author-level access and above, to upload files that may be executable, which makes remote code execution possible.

Published: 2026-05-28

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the gutenbee_file_and_ext_json function of the GutenBee – Gutenberg Blocks plugin. A flawed strpos check accepts filenames containing the substring ".json" even when the real extension is not .json, permitting double‑extension names such as shell.json.php. This flaw allows an authenticated user with Author or higher privileges to upload arbitrary files that may execute on the server, leading to remote code execution and compromising confidentiality, integrity, and availability of the WordPress site.

Affected Systems

Vulnerable versions include all releases of the GutenBee – Gutenberg Blocks plugin up to and including 2.20.1. The plugin is installed on WordPress sites; any site that has deployed a vulnerable version is at risk. Core WordPress and other plugins are not directly affected by this flaw.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. Although EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, the flaw remains a serious threat. Any site that is publicly accessible and has an authenticated author or higher user can exploit the flaw to upload and execute malicious code. The risk is compounded by the lack of a public exploit, meaning that attackers may exploit it before any patches are widely applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

cssigniterteam

GutenBee – Gutenberg Blocks

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.20.1

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the GutenBee – Gutenberg Blocks plugin to version 2.20.2 or later.
If an upgrade cannot be performed immediately, disable the plugin to prevent unrestricted file uploads until a patch is applied.
Restrict author‑level access to trusted users only, and monitor uploads for suspicious file types.

Generated by OpenCVE AI on May 28, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00141.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/cssigniter/gutenbee/commit/bde934cdecf67a4de1d6548cc1fc6c59bc6690e5
https://plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.0/gutenbee.php#L570
https://plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.0/gutenbee.php#L571
https://plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.0/gutenbee.php#L579
https://plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.1/gutenbee.php#L570
https://plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.1/gutenbee.php#L571
https://plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.1/gutenbee.php#L579
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3543574%40gutenbee&new=3543574%40gutenbee&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/2d20e8c9-975d-4e8c-8bea-50935853c7d4?source=cve

History

Thu, 28 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 28 May 2026 07:30:00 +0000

Type	Values Removed	Values Added
Description		The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbee_file_and_ext_json function. This is due to a flawed strpos() substring check that only verifies whether the filename contains the string '.json' rather than confirming the filename ends with a .json extension, allowing double-extension filenames like shell.json.php to bypass validation. This makes it possible for authenticated attackers, with author-level access and above, to upload files that may be executable, which makes remote code execution possible.
Title		GutenBee <= 2.20.1 - Authenticated (Author+) Arbitrary File Upload via wp_check_filetype_and_ext Filter
Weaknesses		CWE-434
References		https://github.com/cssigniter/gutenbee/commit/bde934cdecf67a4de1d6548cc1fc6c59bc6690e5 https://plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.0/gutenbee.php#L570 https://plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.0/gutenbee.php#L571 https://plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.0/gutenbee.php#L579 https://plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.1/gutenbee.php#L570 https://plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.1/gutenbee.php#L571 https://plugins.trac.wordpress.org/browser/gutenbee/tags/2.20.1/gutenbee.php#L579 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3543574%40gutenbee&new=3543574%40gutenbee&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/2d20e8c9-975d-4e8c-8bea-50935853c7d4?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-28T06:45:39.874Z

Updated: 2026-05-28T10:35:06.797Z

Reserved: 2026-05-21T18:32:17.661Z

Link: CVE-2026-9227

Vulnrichment

Updated: 2026-05-28T10:35:00.545Z

NVD

Status : Deferred

Published: 2026-05-28T08:16:37.713

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-9227

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T08:30:12Z

Weaknesses

CWE-434

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object