Description
Uploadify WordPress plugin versions up to and including 1.0 contain an arbitrary file upload vulnerability in process_upload.php due to missing file type validation. An unauthenticated remote attacker can upload arbitrary files to the affected WordPress site, which may allow remote code execution by uploading executable content to a web-accessible location.
References (5)
Core 5
Core References
Various Sources exploit
https://packetstorm.news/files/id/98652
Third Party Advisory third-party-advisory
https://wpscan.com/vulnerability/6946364c-9764-468e-87d5-2dd57e531985/
Third Party Advisory third-party-advisory
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/uploadify/uploadify-10-arbitrary-file-upload
Various Sources third-party-advisory
https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-uploadify-remote-file-upload-1-0/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/uploadify-unauthenticated-arbitrary-file-upload
Scores
CVSS v4
9.3
EPSS
0.0008
EPSS Percentile
23.1%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
VulnCheck KEV
2011-02-21
CWE
CWE-434
Status
published
Products (1)
Steven/Uploadify
< 1.0
Published
Jan 15, 2026
Tracked Since
Feb 18, 2026