CWE-434: Unrestricted File Upload

CVE-2021-47758 allows authenticated attackers to upload malicious PHP plugins through Chikitsa Patient Management System's module upload functionality...

The Supreme Modules Lite WordPress plugin has an arbitrary file upload vulnerability in versions up to 2.5.62. Authenticated attackers with author-lev...

This vulnerability allows authenticated attackers to execute arbitrary PHP code on WBCE CMS servers by uploading malicious droplets through the admin ...

This vulnerability allows remote attackers to execute arbitrary code on Automai Director v25.2.0 systems by exploiting the update mechanism. Attackers...

The WP Enable WebP WordPress plugin has a vulnerability that allows authenticated attackers with Author-level permissions or higher to upload arbitrar...

CVE-2025-15240 is an arbitrary file upload vulnerability in QOCA aim AI Medical Cloud Platform that allows authenticated attackers to upload malicious...

CVE-2025-55061 is an unrestricted file upload vulnerability (CWE-434) that allows attackers to upload malicious files to vulnerable systems. This coul...

This vulnerability allows attackers to upload malicious files to Specto CM systems, potentially leading to remote code execution. It affects all Spect...

WebTareas 2.4 contains an authenticated file upload vulnerability that allows attackers to upload malicious PHP files and execute arbitrary code on th...

Advantech WebAccess/SCADA is vulnerable to unrestricted file upload, allowing attackers to upload malicious files to the server. This can lead to remo...

File Thingie 2.5.7 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious PHP zip archives. Attackers ca...

CVE-2023-53933 is a remote code execution vulnerability in Serendipity 2.4.0 that allows authenticated attackers to upload malicious PHP files with .p...

This vulnerability allows authenticated attackers to upload malicious PHP files disguised as avatar images in UliCMS, leading to remote code execution...

CVE-2023-53868 is a remote code execution vulnerability in Coppermine Gallery that allows authenticated attackers to upload malicious PHP files throug...

FNT Command 13.4.0 contains a vulnerability in its C Base Module that allows remote code execution. Attackers can upload malicious files to execute ar...

The WP3D Model Import Viewer plugin for WordPress has a vulnerability that allows authenticated attackers with Author-level access or higher to upload...

The Infility Global WordPress plugin allows authenticated attackers with subscriber-level access or higher to upload arbitrary files due to missing fi...

This vulnerability allows authenticated administrators in WBCE CMS to upload malicious ZIP modules containing PHP reverse shell code, leading to remot...

This vulnerability allows authenticated attackers to upload malicious PHP files through the Elfinder file manager in WBCE CMS version 1.6.2, leading t...

appRain CMF 4.0.5 contains an authenticated remote code execution vulnerability that allows administrative users to upload malicious PHP files through...

Dotclear 2.29 contains an authenticated remote code execution vulnerability where attackers with valid credentials can upload malicious PHP files thro...

This CSRF vulnerability in the Video Merchant WordPress plugin allows unauthenticated attackers to upload arbitrary files by tricking administrators i...

LeptonCMS 7.3.0 contains an arbitrary file upload vulnerability due to insufficient file validation. Authenticated attackers can upload malicious ZIP/...

The Demo Importer Plus WordPress plugin allows authenticated attackers with author-level access or higher to upload arbitrary files due to insufficien...

The PostGallery WordPress plugin has a vulnerability that allows authenticated users with subscriber-level permissions or higher to upload arbitrary f...

The Blubrry PowerPress WordPress plugin allows authenticated attackers with Contributor-level access or higher to upload arbitrary files due to insuff...

The Vitepos WordPress plugin allows authenticated users with subscriber-level access or higher to upload arbitrary files due to missing file type vali...

The URL Image Importer WordPress plugin allows authenticated attackers with Author-level access or higher to upload arbitrary files, including PHP fil...

The Enable SVG, WebP, and ICO Upload WordPress plugin allows authenticated attackers with author-level access or higher to upload arbitrary files due ...

The WP Dropzone WordPress plugin allows authenticated users with subscriber-level access or higher to upload arbitrary files to the server due to insu...

QaTraq 6.9.2 contains an unrestricted file upload vulnerability that allows authenticated users to upload PHP files, leading to remote code execution....

The Blocksy Companion WordPress plugin allows authenticated users with author privileges or higher to upload arbitrary files due to insufficient SVG f...

The Smart Auto Upload Images WordPress plugin allows authenticated attackers with Contributor-level access or higher to upload arbitrary files due to ...

The EM Beer Manager WordPress plugin allows authenticated attackers with subscriber-level access or higher to upload arbitrary files, including PHP fi...

This vulnerability allows authenticated attackers to upload PHP files to Nagios XI's Audio Import directory and execute them, leading to remote code e...

The AP Background WordPress plugin versions 3.8.1 to 3.8.2 contain an arbitrary file upload vulnerability due to missing authorization and insufficien...

The Embed PDF for WPForms WordPress plugin allows authenticated users with Subscriber-level access or higher to upload arbitrary files due to missing ...

The StoreEngine WordPress plugin up to version 1.5.0 has an arbitrary file upload vulnerability in its import function. Authenticated attackers with S...

CVE-2025-56263 is an arbitrary file upload vulnerability in by-night sms V1.0 that allows attackers to upload any file type and size via the /api/sms/...

This vulnerability allows remote unauthenticated attackers to execute arbitrary code on Ivanti Endpoint Manager systems by exploiting insufficient fil...

The AI Engine WordPress plugin versions 2.9.3 and 2.9.4 contain an arbitrary file upload vulnerability in the REST API endpoint. This allows authentic...

CVE-2025-8323 is an arbitrary file upload vulnerability in e-School from Ventem that allows unauthenticated remote attackers to upload malicious files...

The Droip WordPress plugin allows authenticated attackers with Subscriber-level access or higher to upload arbitrary files due to missing file type va...

CVE-2025-46384 is an unrestricted file upload vulnerability (CWE-434) that allows attackers to upload malicious files to vulnerable systems. This coul...

The Pixabay Images WordPress plugin allows authenticated attackers with Author-level access or higher to upload arbitrary files due to missing file ty...

The WordPress Automatic Plugin has a vulnerability allowing authenticated attackers with Author-level access or higher to upload arbitrary files due t...

The Axle Demo Importer WordPress plugin through version 1.0.3 contains an arbitrary file upload vulnerability that allows authenticated users with aut...

The Abandoned Cart Pro for WooCommerce plugin contains an authenticated arbitrary file upload vulnerability that allows attackers with subscriber-leve...

The WP User Frontend Pro plugin for WordPress has a vulnerability that allows authenticated attackers with Subscriber-level access or higher to upload...

The MasterStudy LMS Pro WordPress plugin allows authenticated users with Subscriber-level access or higher to upload arbitrary files due to missing fi...