Threats Tagged 'cwe-434'

FileRise before 3.16.0 is vulnerable to path traversal in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), leading to arbitrary file write and administrator account takeover. The upload filename is validated by FolderController with basename() and REGEX_FILE_NAME, which permit URL-encoded sequences (the regex blocks / and \ but not %). The raw filename is then passed to UploadModel::handleUpload, where it is reconstructed as trim(urldecode(basename($fileName))), re-introducing path separators after validation (e.g. ..%2fusers%2fusers.txt becomes ../users/users.txt). UploadNamePolicy::isAllowedForWrite() applies basename() internally and therefore only evaluates the final component (users.txt), allowing the traversal sequence to pass the extension policy. The destination path is then used directly in move_uploaded_file() with no realpath containment check, allowing a write outside the intended upload directory. An attacker who possesses a valid, non-expired, upload-enabled shared-folder link/token (which are designed to be shared publicly) can overwrite users/users.txt to create an administrator account, resulting in unauthenticated admin takeover and, depending on configuration, remote code execution. Exploitation requires possession of a valid, non-expired, upload-enabled shared-folder link/token. This issue is fixed in 3.16.0, which URL-decodes before validation and rejects any path separators in the upload filename.

The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.

The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config.php, combined with the absence of single-quote escaping — sanitize_text_field() does not strip single quotes, and filter_input(INPUT_POST) bypasses wp_magic_quotes() slashing — allowing a single quote in the account-id or api-key parameter to break out of the single-quoted PHP string literal in the write_config() define() statement. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. This is possible because the 'cf-images-nonce' nonce required by the AJAX handler is exposed to all Author-level and above users on wp-admin/upload.php via the CFImages JavaScript object, meaning any upload-capable user can satisfy the nonce check and reach the vulnerable wp-config.php write path.

CVE-2026-52705 is a critical vulnerability in BDthemes SigmaForms Pro – AI Generated Forms versions up to and including 1.4.5. It allows unauthenticated attackers to upload arbitrary files of dangerous types, leading to potential full compromise of confidentiality, integrity, and availability. The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). No official patch or remediation guidance is currently available from the vendor.

Subscriber Arbitrary File Upload in Charity Zone <= 1.1.1 versions.

CVE-2026-40748 is a critical vulnerability in themagnifico52 Kids Gift Shop versions up to 0.5.4 that allows subscribers to upload arbitrary files without restriction on file type. This unrestricted file upload can lead to severe consequences including full system compromise. The vulnerability is classified under CWE-434, indicating unsafe handling of file uploads. No official patch or remediation has been confirmed yet.

Subscriber Arbitrary File Upload in Ecommerce Zone <= 0.9.7 versions.

CVE-2026-40746 is a critical vulnerability in themagnifico52's Restaurant Zone product, versions up to and including 0.7.8. It allows subscribers to upload arbitrary files without restriction on file type, which can lead to severe consequences including full system compromise. The vulnerability is classified under CWE-434, indicating unrestricted file upload of dangerous types. No official patch or remediation has been confirmed yet.

Subscriber Arbitrary File Upload in Webenvo <= 0.0.6 versions.

Contributor Arbitrary File Upload in Unlimited Elements for Elementor (Premium) <= 2.0.6 versions.